New Injection Attack: 30,000 Websites?
Mass meshing is a new type of redirection attack that differs from SQL injection in a number of critical ways. The most damaging difference is how users can mitigate the risks of a SQL injection versus the difficulties of defending against a Mass Meshing attack.
The mass mesh approach is in contrast with a traditional SQL injection attack where the site is injected with a malicious script that includes a redirector to a harmful domain. Those harmful domains can then just be blacklisted as a means of defense. With mass meshing, since the meshed sites are legitimate and always changing, it's significantly more difficult to simply block URLs.
With SQL injection, an attacker exploits some kind of SQL flaw in order to inject code. With mass meshing, Huang said the attacker is in complete control of a website.
"So we believe this injection is not SQL but rather is done through control of infected sites using an automated FTP program," Huang said.
Huang suspects that the attackers have somehow gained access to site login credentials, which are then used by the FTP program to access the site and inject the mass meshing script.
"Some may have obtained access through shared hosting vulnerabilities, but also through Web admins that have been infected with other malware," Huang said. "There is also malware that sniffs FTP traffic."
If a site admin connects to their server through an unencrypted FTP link, someone else on the wire can "sniff" the password. Huang admitted it's not entirely clear how site access was obtained. He also noted that he hasn't yet been able to examine site logs for infected sites to try and positively identify the source IP or route taken by the mass meshing injection attackers.