2500 gambling sites compromised with a single attack
A similar attack to traditional injection attacks, but with very different technical preconditions. And as discovered by three security researchers were able to reconstruct what happened last year to a large number of websites gambling.
Security researchers Gaby Nakibly, Jaime Schcolnik and Yossi Rubin have managed to outline the details of a hacker attack, which last year hit a large number of websites dedicated to gambling and which were not yet possible to come to boss. A demo report will be presented at the Black Hat conference, which will take place from July 30 to August 4 in Las Vegas.
The crime goes back about a year ago, when users of various gambling sites have begun to experience a series of abnormal behavior with unusual windows pop-up that offered access codes to other third-party gambling sites. Links to the sites incorporated affiliate tag and while the visitors were attacked, without the perpetrators of compromised sites were able to understand where the attacks arrived.
Michael Corfman, executive director of the Gambling Professional Webmasters Association, the organization targeted by the attack, said: ” We have carefully monitored the traffic coming from our servers because we have taken very seriously this situation. The monitoring has not shown, no problem, which is quite incomprehensible. ”
The researchers found, that was involved in the attack a website registered with a false Romanian identity, despite the center of the attacks appeared as the association’s Web site, GPWA.org. Nakibly, it notes that the GPWA operates a certification service delivering a badge to its 2,476 affiliated sites. These badges are loaded directly from GPWA.org, which means that a single interception attack could go to strike visitors to all the sites at once.
When the web browser should load a page, submit a request to the server that hosts it: that request travels through several different networks, from the service provider of connectivity, to that of an intermediary who operates the ridge, to get to the local network of the server where the site. The researchers identified that the request to the GPWA.org was duplicated at some point of his career, and copy sent to a server controlled by the attackers.
In response to a single request, the user’s browser received two responses: one from GPWA.org and from QPWA.org site, registered to false Romanian identity above. Both responses were being routed through the same networks, and in many cases, the QWPA package arrived first at the destination. Faced with two responses to the same request, the browser ignores that arrived last, normally the GPWA package.
The result for the user is the same as you would in the case of a traditional injection attack: you request a file from a site. He gets one from a third party site. Unlike these kinds of attacks, which occur at the level of the Internet Service Provider that the user leans, this new type of attack can go to target anyone going to load a content GPWA.org site, which because of the badge remotely loaded certification actually goes to cover thousands of websites. Observe the server logs does not lead to anything because everything that occurs is a file request to which an answer is given.
Nakibly describes this attack as ” out-of-band ” : since these packets can be sent anywhere on the network, the attack can be much more versatile and difficult to detect than a normal man-in-the- middle. The compromise seems to have happened on the local network operated by Information Technology Systems, which houses GPWA.org and operates the infrastructure that connects to the Internet server.
The group has targeted only the visitors who came to the site through a Google search and attacked each IP address only once, making it particularly difficult for researchers to replicate the attack.
It remains to see who can be the first attacker, but Corfman harbors some suspicion on the holders of two online casino’s network, which last year ended up on trial on charges of cyber attacks against other gambling sites. These attacks took place in the same time when even the sit, the GPWA were targeted.
There is no clear evidence of the involvement of these people, but in light of the explicit accusations in the process, Corfman believes that they can be one of the few groups able to plan an attack. ” Now it is clear what they wanted to do, but then we were not aware ” noted Corfman.