Scareware Traversing the World via a Web App Exploit

In 2008, a dedicated group of security professionals came together to set up IRISS-CERT, Ireland's first CSIRT, to provide a range of free services to Irish businesses and consumers in relation to information security issues. The aim is to help counter the security threats posed to both the Irish businesses and the Irish Internet space.

Throughout the first two years, IRISS-CERT has notified and helped many website owners detect, clean or restore their sites after a compromise.

In July 2009, several Irish websites were attacked and had malware code injected into them. These (compromised) websites redirected end-users to malicious websites, which subsequently served malware to anyone who was browsing the original legitimate sites. The notification of this compromise (to IRISS CERT) resulted in me beginning the on-duty Incident Handler, initiating the Incident Handling Process to examine the issue.

Mark will summarise this aforementioned attack and briefly include other types of attacks that IRISS-CERT have seen. He will primarily focus on the process as laid out in his GIAC GCIH Gold Paper. The investigation into the July 2009 attack and the associated complex infrastructure prompted the research paper.

The talk will cover the various stages of the Incident Handling Process explaining how they pertain to both the web application exploit and the associated scareware installation.

By discussing these attacks, the talk should enable both companies and volunteer organisations to improve Incident Handling efforts when responding to Web Application attacks.