The attack toolkit being used by the attackers is aliased “Asprox”, and has been around for some years gaining cybercrime popularity during 2007. This attack toolkit is designed to first search Google for webpages with the file extension [.asp]. Once found, it launches SQL injection attacks to append a reference to the malware file using the script tag, which makes it a highly efficient Crimeware tool.
Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet.

“Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack,” said Yuval Ben-Itzhak, CTO of Finjan.
“Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites. It shows again the resourcefulness and flexibility of cybercriminals. It requires proactive security solutions to safeguard organizations against these kinds of mass Web attacks.”

Finjan’s research indicates that the malicious code is still being served by most of the websites and the “Asprox” toolkit is still in use at July 13, 2008.

Finjan’s findings contain examples of compromised websites of organizations and businesses in the following categories:

* Shopping/Lifestyle (15%)
* Computing and Internet (15%)
* Government (13%)
* Healthcare (12%)
* Advertisement (13%)
* Other (32%)

The compromised websites were detected using Finjan’s patented active real-time code inspection technology.