'Migrating mafia' target personal computers

Published Jul 17, 2003

Share

More than two thousand home Internet users have had their computers hijacked and redirected to pornographic websites, in a scheme that has security experts perplexed.

Experts believe they have traced the attack to Russian operatives of other Internet scams, and suspect it is part of a money-making scheme, but remain baffled about the technique used to infiltrate PCs.

Richard Smith, a Massachusetts-based security consultant who has tabulated the number of infected machines, said the perpetrators of the attack appear to be from the same location as those responsible for a recent scheme involving the Paypal Internet payment system.

Smith said this attack, known as a trojan, seems to be a new twist that blends hacker attacks and spam, and that it is a new type of money-making scheme.

"In terms of home computers, this is one of the first times someone has tried to make money off hacking a home computer," Smith said.

"It is not known at present how the trojan gets installed on people's computers.

"My theory is that the Sobig.e virus might be involved, but the evidence is not strong at the moment."

Joe Stewart, a specialist at Internet security firm LURHQ, was among the first to analyse the new trojan and trace its likely origins to Russia.

The hackers may get revenue for every time

a porn page pops up, similar to the commissions from advertising "clicks", and may get additional money by sending out spam from the infected computers.

Stewart dubbed the trojan "migmaf", short for "migrating mafia", and noted that the method of attack - shifting from one computer to another every 10 minutes - makes it harder to track.

"Migmaf is particularly disturbing because it represents a new escalation in malware weaponry," said Jim Kollegger, president of BBX Technologies, a security firm.

"Hackers and unscrupulous business owners are now leveraging malware such as migmaf to hijack other computers to carry out illicit purposes, such as anonymously hosting porn pages, acting as spam relays, or acting as intermediaries for financial scams.

"This new form of malware can turn virtually any computer user into an unsuspecting accomplice of crime, making it especially difficult for authorities to shut down the networks."

According to Smith, the location of the attacks has been traced to the same location as a recent "Paypal scam" in which bogus emails were sent out to users, directing them to an imitation of the real Paypal site, in an effort to obtain confidential bank or credit card information.

Experts warn that there could be other nefarious impacts from the hijacking. It is possible, for example, that a virus could be implanted that steals passwords or other confidential information from hijacked PCs.

"Some of the same computers hosting websites for pornographic sites are also receiving stolen credit card information," Smith said.

However, Smith said it may be possible to track the attackers through their money trail, from advertisers, possibly in the United States.

David Wray of the US department of homeland security, said the agency's cybersecurity division was aware of the situation but was not issuing any new warning.

"We're aware of it, and DHS will monitor the situation," Wray said. "It's based on known vulnerabilities, so if people keep patches and virus software up to date, that should mitigate some of the ill effect." - Sapa-AFP

Related Topics: