Iranian Cyber Army Moves from Defacements to Botnets

[tipo]

Security researchers were able to tie a group of hacktivists known as the Iranian Cyber Army to a series of Web exploit attacks affecting popular websites.

The Iranian Cyber Army rose to fame last year when it managed to hijack several high profile websites, including Twitter and Baidu, who's home pages it replaced with political messages against the United States.

Both incidents were the result of domain hijacking, which involved the attackers tricking registrar employees intto giving them control over the targeted domains.

However, according to Seculert, a provider of cloud-based Cyber Threat Management services, the group might be moving from politically motivated defacements into actual cybercrime.

The company's researchers believe that the Iranian Cyber Army was behind a mass injection attack, that affected several TechCrunch websites, including TechCrunch Europe, MobileCrunch and CrunchGear.

Visitors of the compromised sites were directed to a crime server, which launched drive-by downloads through a customized exploit kit.

"[…] The graphical user interface of these pages is quite primitive, to say the least. This leads us to believe that this exploit kit was developed to be used only by one group, and it is not being sold on the open market to other cyber criminals," the Seculert experts write.

The title on the exploit kit's login page is [email protected], the exact same email address used during the defacements. Also the Iranian Cyber Army name is also mentioned within the source code comments.

Statistics gathered from the kit suggest that there were 400,000 successful exploitations. However, the number is likely much bigger, because there are indications that the counter was reset several times.

The exploitations have been running since August 2010 and researchers believe that the group is involved in a pay-per-install scheme, where other criminals pay them to have malware like Bredolab, Gozi, ZeuS and others, installed on infected systems.

"Based on the timing of this latest wave of attacks, on the heels of the recent Stuxnet worm attack that allegedly targeted Iranian facilities, it appears reasonable to assume that the 'Iranian Cyber Army' group has decided to move from simple defacement warnings to actual cybercrime activities," Seculert concludes.