recommended reading

Threatwatch

Hackers Attacking Israeli Think Tank Site Ain’t After State Secrets

Network intrusion; Man-in-the-middle attack; Software vulnerability

The website of a respected Israel-based foreign policy institute -- the Jerusalem Center for Public Affairs – has been infected with code that is trying to steal bank account information from visitors.

The campaign looks like an “advanced persistent threat-style attack” devised to siphon intelligence from government officials browsing the site, but “the threat is ultimately designed to pilfer banking credentials,” Kaspersky Lab reports.

The cyber strike against the think tank is part of a larger operation. Users who visit are redirected through a chain of seemingly innocuous sites affiliated with the music industry and law firms. Ultimately, users are led to a malicious server located in Russia.

This navigation route allows the attackers to sidestep anti-malware systems that look out for suspicious URLs and blacklist certain sites.

Researchers from security firm Cyphort have observed the site serving malicious software called the Sweet Orange exploit kit.

While think tanks are often the victims of targeted assaults, Cyphort told SecurityWeek that this is most likely an opportunistic assault whose goal is to help cybercriminals harvest credentials.

Kaspersky says it “attempted to reach out to the JCPA, but attempts to access their website and contact information failed as the site unsuccessfully tried to infect our machines with malware.”

Computer users are targeted through a series of Java and Internet Explorer security holes. The malware dropped inside their machines, bizarrely, also contains a link to a Wheat Thins advertisement. It’s possible the hackers are conducting some advertising fraud on the side, by enticing victims to click on the link, thereby generating ad revenue.

In addition, the malware attempts to block users from visiting the sites of certain anti-virus companies and steals passwords from a long list of banks, including PNC, Zions Bank, Sovereign Bank, SunTrust, Bank of America, J.P. Morgan, Wells Fargo, Citi Bank, Wachovia, TD Bank and many more. 

sector

Defense Industrial Base; Financial Services

reported

September 8, 2014

reported by

Kaspersky Lab

number affected

Unknown

location of breach

Jerusalem, Israel

perpetrators

Criminals

location of perpetrators

Russia

date breach occurred

Unknown

date breach detected

Late August 2014 or Early September 2014