FireEye has discovered a large-scale attack campaign collected extensive information from Internet. It has amassed vast amounts of information on web traffic and visitors to more than 100 websites – sites that the threat actors have selectively compromised to gain access to their collective audience.
The operation, which is most likely the work of threat actors aligned with Russian government, use web analytics and open source tools to collect information about desired victims and their computers to track, profile, and possibly infect them with targeted malware.
The perpetrators alter specific websites to redirect visitors to a profiling script that we call 'WITCHCOVEN,' FireEye said.
This script collects detailed information about the user’s computer and installs a persistent tracking tool, called a “supercookie,” which becomes part of a unique "browser fingerprint" that can identify the user’s computer moving forward.
"We believe the actors analyze the collected data to identify unique users and pair them with information about their computer to later deploy exploits tailored to their particular software and computer configuration."
In this particular case, the cyber criminals have manipulated over 100 selected sites, which also includes Indian websites.
When an unsuspecting user visits any of the over 100 compromised websites, a small piece of inserted code—embedded in the site’s HTML and invisible to casual visitors—quietly redirects the user’s browser to a second compromised website without the user’s knowledge. This second website hosts the WITCHCOVEN script, which uses profiling techniques to collect technical information on the user’s computer.
As of early November 2015, we identified a total of 14 websites hosting profiling script, FireEye added.
"We believe that the compromised websites indicate the threat actors are especially interested in collecting data from executives, diplomats, government officials, and military personnel, particularly those in the US and Europe. The compromised websites include visa services firms and certain embassies in the United States, which may attract US government officials or executives traveling to Russia, the Middle East, and Africa."
Updated Date: Nov 16, 2015 16:56:14 IST