According to Cisco researchers, who have been observing the attack since early May, among the ten websites that have been injected with the malicious iframe used in the campaign, one belongs to an oil and gas exploration firm with operations in Africa, Morocco, and Brazil; one to a gas distributor located in France; one to a natural gas power station in the UK; and several investment and capital firms that specialize in the energy sector.
Nearly half of the visitors to these sites come from the financial and energy sectors.
"Interestingly, six of the ten iframe-injected websites were hosted on the same server, apparently services by the same web design firm. Three of these six were also owned by the same parent company," pointed out Cisco's Emmanuel Tacheau. "This is likely indication the sites were compromised via stolen login credentials, possibly a result of infection with the design firm or their hosting provider."
The malware is hosted on the pages of three compromised websites (keeleux.com, kenzhebek.com, and nahoonservices.com), and to install it on the victims' computers the attackers have leveraged exploit code for vulnerabilities in older versions of Java, Internet Explorer, and Firefox / Thunderbird.
Tacheau doesn't say whether the campaign is ongoing, but he pointed out that as time went by, the attackers have modified the injected iframes, exploit code, and the served malware.
"Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit," he pointed out, adding that a web traffic filtering solution deployed at the the network level can block malicious content before it can reach the intended targets' machines.