Crackers use a number of techniques to get into corporate systems, including reconnaissance through s0-called watering-hole attacks.
This appears to be behind the discovery by a California unified threat management company called Alien Vault, which in a blog post warned organizations to be on the lookout for signs on their Web sites.
The attackers were able to compromise the website of one company by include code that loaded a malicious Javascript file from a remote server, wrote Jaime Blasco, director of Alien Vault Labs. The file is a framework for capturing information on the system used by a visitor to the site including operating system, cookies, security software, versions of Adobe Flash and Microsoft Office. And, for good measure, there’s also a keylogger which sends user keystrokes — along with all the other data — to a command and control server.
“This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them,” writes Blasco.
IT security professionals should look for suspicious activity against the following machines in their networks:
- mail[.]webmailgoogle.com
- js[.]webmailgoogle.com
- 122[.]10.9.109