Spyware was injected into an industrial software firm’s website to probe visitors’ computers
Manufacturing // Technology // Transportation
Unlike most “watering hole” attacks that only infect visitors’ computers with credential-stealing malware, this strike involved a tool that takes detailed notes about visitors’ machines.
The unnamed website is “related to software used for simulation and system engineering in a wide range of industries, including automotive, aerospace, and manufacturing," AlientVault Labs Director Jaime Blasco said in a blog post. AlienVault detected the breach last week.
The attackers inserted rogue code into the site, which then loaded a JavaScript file from a remote server. The file was a reconnaissance framework dubbed Scanbox.
“In addition to collecting basic information like the browser type, computer IP (Internet Protocol) address, operating system and language, this tool uses advanced techniques to detect which security programs are installed on the visitor's system,” Computerworld reports.
Scanbox tests computers for the presence of a Microsoft anti-malware tool and records information about installed versions of Adobe Flash, Microsoft Office, Acrobat Reader and Java -- programs that are frequently targeted by cyber weapons to install malware.
Scanbox also records the width and height of the user’s computer screen.
It contains a keylogger that documents all characters typed by visitors, including passwords and other sensitive data entered into web forms.
"This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them,” Blasco said.