Government, Health Care Web Sites Attacked

A scan of Web servers by Internet security company Finjan Inc. has found more than 1,000 legitimate Web sites that had been compromised by a new wave of attacks in recent weeks.

High percentages of the compromised sites, which serve up malicious code to unsuspecting visitors, belonged to government at 13 percent, and to health care organizations at 12 percent, said Finjan Chief Technology Officer Yuval Ben-Itzhak.

"We started to see it at the end of last month," Ben-Itzhak said. "But most of [the compromised] domains we found in the last two weeks." The compromises were found using Finjan's SecureBrowsing security tool.

The attack toolkit being used is named Asprox, and has been in use for several years, having gained popularity with cybercriminals during 2007.

"This is not groundbreaking," Ben-Itzhak said. The tool uses a well-established SQL-injection attack to compromise the sites. But the sites being targeted appear to indicate a shift in the underground economy that has grown up harvesting sensitive information from online activities.

"For government, we still don't have the reason," Ben-Itzhak said. "We believe the criminals are targeting health care [data] because they can sell it for a higher price."

The black market price for stolen credit card information has declined sharply in the last year, from around $100 per account to $15 or $20 each, he said. "It's supply and demand." Credit-card information can be easy to steal and has been targeted by many criminals. "It explains why they're looking for new types of information that they can sell for a higher [profit] margin."

The Asprox toolkit searches Google for Web pages with an ".asp" file extension. These pages use the Microsoft Active Server Pages server-side scripting environment for creating and serving dynamic Web pages. It was widely used from around 1998 to 2003, when it was largely replaced with Web development tools that provide more security. But there still are many Web sites using it.

"It is not a vulnerability in the Microsoft tool," Ben-Itzhak said. "It is because of the way the pages were designed and not because of the technology."

To protect themselves from the attack, he recommended that enterprises use application firewalls in front of their servers to block the attacks, and that consumers use real-time content inspection tools to protect their browsers. "They cannot assume that legitimate Web sites will remain safe all the time," he added.

Finjan offers a free browser plug-in for content inspection, but Ben-Itzhak said that user uptake for the technology still is slow -- only about 25 percent compared with more than 90 percent for traditional signature-based anti-virus tools.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.