Hackers Attacking Israeli Think Tank Site Ain’t After State Secrets
Network intrusion; Man-in-the-middle attack; Software vulnerability
The website of a respected Israel-based foreign policy institute -- the Jerusalem Center for Public Affairs – has been infected with code that is trying to steal bank account information from visitors.
The campaign looks like an “advanced persistent threat-style attack” devised to siphon intelligence from government officials browsing the site, but “the threat is ultimately designed to pilfer banking credentials,” Kaspersky Lab reports.
The cyber strike against the think tank is part of a larger operation. Users who visit are redirected through a chain of seemingly innocuous sites affiliated with the music industry and law firms. Ultimately, users are led to a malicious server located in Russia.
This navigation route allows the attackers to sidestep anti-malware systems that look out for suspicious URLs and blacklist certain sites.
Researchers from security firm Cyphort have observed the site serving malicious software called the Sweet Orange exploit kit.
While think tanks are often the victims of targeted assaults, Cyphort told SecurityWeek that this is most likely an opportunistic assault whose goal is to help cybercriminals harvest credentials.
Kaspersky says it “attempted to reach out to the JCPA, but attempts to access their website and contact information failed as the site unsuccessfully tried to infect our machines with malware.”
Computer users are targeted through a series of Java and Internet Explorer security holes. The malware dropped inside their machines, bizarrely, also contains a link to a Wheat Thins advertisement. It’s possible the hackers are conducting some advertising fraud on the side, by enticing victims to click on the link, thereby generating ad revenue.
In addition, the malware attempts to block users from visiting the sites of certain anti-virus companies and steals passwords from a long list of banks, including PNC, Zions Bank, Sovereign Bank, SunTrust, Bank of America, J.P. Morgan, Wells Fargo, Citi Bank, Wachovia, TD Bank and many more.
Defense Industrial Base; Financial Services
September 8, 2014
Link to report
location of breach
location of perpetrators
date breach occurred
date breach detected
Late August 2014 or Early September 2014