Security researchers from ESET®, a global pioneer in proactive protection for 25-years, have published on welivesecurity.com a detailed analysis of the Win32/Aibatook malware, which targets customers of Japanese banks and visitors to some of the country's most popular pornographic websites.
ESET security researchers have estimated that more than 90 websites are being targeted by the information-stealing criminals. Upon visiting compromised sites, users can be redirected to an exploit page that attempts to take advantage of Java vulnerability CVE-2013-2465, a vulnerability that was patched in June 2013. If a vulnerable Windows computer is identified, a 404 error page is displayed to mask that the PC is silently running a malicious Java applet.
Unlike many of today’s malware which will make use of a multiple vulnerabilities to increase the likelihood of finding a potential victim, this malware campaign, discovered by ESET security researchers, relies on a single exploit.
Once the malware is installed, it waits for victims to log into online banks with Internet Explorer (the most widely-used browser in Japan). Cunningly, the malware injects fraudulent forms onto the page to harvest confidential login information. Stolen data is then sent to the criminals behind the Aibatook malware campaign via a Command and Control server.
ESET reminds all computer users of the importance of patching their computing devices.
“The key message here is for people to understand of patching their computer operating system and applications regularly,” said Joan Calvet, security researcher for ESET. “Software providers continue to simplify the patching process, but it is vital we all install patches from our software providers in a timely way to secure against these types of threats. To put these guys out of business, we all need to be good net citizens.”
ESET researchers also found that those responsible for the Aibatook attack have created newer versions of the malware, capable of stealing credentials from users of web-hosting services and domain resellers.
A detailed analysis of this malware campaign is available at www.welivesecurity.com/2014/07/16/win32aibatook/
To read an opinion piece on this research, and the need for computer users to consider removing Java from their computers, visit www.welivesecurity.com/2014/07/16/hacked-japanese-porn-sites/ [Graham Cluley's piece]