Italian websites hit by Mpack malware

Malware that attacked thousands of Italian websites over the weekend and stole sensitive information from users could spread to the rest of Europe and the UK.

Hacked Italian websites have triggered malware downloads once a user has visited them. The malware, known as Mpack kit, has compromised websites using known and common IFRAME vulnerability to deploy a slew of malware attacking unsuspecting web users around the world.

Most of the compromised sites focused on tourism, cars, movies, music, tax and employment services. A large number of sites affected were local government ones. Most of these sites were hosted by one of the largest hosting providers in the country.

Once the user visits any of these websites, the browser is directed to another address that contains the malicious JS_Dloader.NTJ. This JavaScript then downloads a new member in the infection series detected as Troj_Small.HCK. This tries to cause a buffer overflow on the user's browser.

According to researchers at anti-virus company Trend Micro, IT administrators should prepare themselves for an increased number of helpdesk calls and internal virus outbreaks.

"In the last 48 hours over 2,000 Italian websites have been hijacked in this way and we've seen a doubling of victims every 6-8 hours," said Ivan Macalintal, senior TrendLabs threat researcher at Trend Micro.

He said that these web threats are silent, invisible to the unprotected consumer and therefore more dangerous than common viruses. "The attackers are using multiple malware to try to remain undetected and deliver the final punch, a keylogger that intends to solicit personal information such as banking information or passwords," said Macalintal.

Anthony O'Mara, EMEA vice president at Trend Micro, said that author of this latest attack probably had months to plan and execute their criminal act.

"The regionally targeted nature of the attack and the speed of website infection points to a criminal gang with profit in mind," he said. "Businesses need to ensure their end users demonstrate extra caution when surfing the web, and if not already using a reputation based technology, one should be deployed. URL filtering cannot stop these attacks."