Cyber attacks against FederalNewsRadio.com, WTOP.com part of growing trend

Monday - 5/13/2013, 3:39pm EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

The cyber attacks suffered by FederalNewsRadio.com and WTOP.com last week are part of a growing trend of breaches that take advantage of network weaknesses to indiscriminately go after visitors of popular websites.

While some analysts attributed the recent cyber breach, which caused both media websites to turn off access via Internet Explorer from May 7-11, to a "watering hole" type of attack, all indicators point to it being a "drive-by" attack, said John Spaulding, Washington, D.C. director of information systems for Hubbard Radio, the parent company of WTOP and Federal News Radio.

Spaulding said a drive-by attack is one where the malicious code is hidden on a Web page and a computer gets infected by visiting the website. A watering hole attack, on the other hand, is where the hacker targets a specific group of people who tend to go to a specific site.

Spaulding said both FederalNewsRadio.com and WTOP.com have been scrubbed of malware and vulnerabilities have been plugged. Users of all Internet browsers could safely access both sites starting late Saturday night. He encouraged website visitors who accessed the websites from any Web browser during the cyber attack, which occurred approximately May 5 to May 7, to update and run their security software and perform a malware scan on their computer.

"The malware did not target an IE vulnerability. However, the way it was deployed favored IE as the browser it would use to infect computers," Spaulding said. "An intruder was able to exploit a different website hosted on our shared infrastructure. From there, they gained privileged access to WTOP.com and FederalNewsRadio.com after installing some hidden portals, which allowed them continued access to our sites. They implemented malicious code, which allowed malware to attempt to infect our site visitors' computers."

He added there is no evidence that indicates FederalNewsRadio.com and WTOP.com were specifically targeted.

Looking for money

Alma Cole, the former head of the Homeland Security Department's security operations center and now vice president of cybersecurity at Robbins Gioia, said a successful drive-by attack usually installs two distinct kinds of malware: Fake AntiVirus and a Zeus Bot Trojan.

"The presence of Fake AntiVirus software clearly indicates that this was cyber criminals looking to make money, not a Nation State (APT) interested in espionage," he said. "Zeus Bot is the most widespread criminal Trojan that is used primary for theft of banking and other credentials."

Cole added the attack does not resemble and is not related to the well publicized attacks against other news agencies, and would not have included an overt intrusion into the networks of Federal News Radio or WTOP. Some systems may have been infected but this would have been collateral damage, he said.

Drive-by attacks like this are becoming more popular, according to the Symantec 2013 Internet Security Threat Report.

Symantec found in 2012, drive-by Web attacks increased by one-third, possibly driven by malvertising. Malvertising is an ad that is infected with malware so when a user clicks on it, their computer becomes contaminated.

"Drive-by infections from websites will become even more common and even harder to block without advanced security software," Symantec wrote in its report about what it sees as the future trends in cyber attacks. "Criminals will increasingly attack websites, using malvertising and website attack kits, as a means of infecting users. Software vendors will come under pressure to increase their efforts in fixing vulnerabilities promptly. Users and companies that employ them will need to be more proactive about maintaining their privacy and security in this new social media world."

Symantec said small businesses — those with less than 250 employees — were victims of 31 percent of all cyber attacks in 2012, up from 18 percent the year before.

"Driven by attack toolkits, in 2012 the number of Web-based attacks increased by one-third and many of these attacks originated from the compromised websites of small businesses," the report stated. "These massive attacks increase the risk of infection for all of us."

Johannes Ullrich, the dean of research and a faculty member of the SANS Technology Institute, said Web applications are much more complex today than ever before.

"They have a lot of parts they are composed of and it's really not easy to make sure all of them are secure," he said in an interview with Federal News Radio. "Probably the hardest task is to prove something is secure."

Ullrich said most of these drive-by attacks are random. He said SANS set up a "honeypot," which is a trap to detect and counter hacker attacks, and generally "trap" more than a half dozen of these drive-by attacks a day.