A coordinated series of web-based attacks that began last week in Italy is quickly expanding and has now infected 10,000 websites around the world. When security researchers first noticed the threat, it has affected 1,000 English language websites with the Italian '.it' domain. By Monday, however, the attack had gone worldwide and had drawn the attention of the FBI. The attackers are using known exploits in web server applications to post attack code on third-party websites. The actual attack is carried out when a user visits a compromised site.
The site redirects the user to another server that runs MPack, a web-based attack tool that delivers an exploit specially designed to target flaws in each user's web browser. The exploit installs spyware and a key-logger. Traffic is bounced from the compromised sites to a server in the San Francisco area which then redirects to the attack server which is currently located in Chicago, according to Paul Ferguson, a network architect at security vendor Trend Micro. Ferguson noted that the San Francisco server uses an IP address registered to a Hong Kong entity, and is hosted by a company that is notoriously slow in responding to complaints about illegal activities on its network.