{"id":8751,"date":"2015-11-16T13:18:35","date_gmt":"2015-11-16T17:18:35","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8751"},"modified":"2015-11-16T13:18:35","modified_gmt":"2015-11-16T17:18:35","slug":"state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/16\/state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites\/","title":{"rendered":"State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites"},"content":{"rendered":"
By Lucian Constantin<\/a> | PCWorld<\/a><\/p>\n

Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows.<\/p>\n

Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts into over 100 websites visited by business executives, diplomats, government officials and academic researchers.<\/p>\n

The researchers believe the compromised websites attract visitors involved in international business travel, diplomacy, energy production and policy, international economics and official government work. They include sites belonging to embassies, educational and research institutions, governments, visa services, energy companies, media organizations and non-profit organizations.<\/p>\n

While no exploits or malicious code have been served through the injected scripts, the goal of the attackers appears to be the identification of unique users who can be targeted with attacks tailored for their specific computer and software configurations. FireEye has named the reconnaissance campaign WITCHCOVEN and believe that it’s the work of state-sponsored attackers.<\/p>\n

When users visit one of the compromised websites, their browsers get silently redirected to one of several WITCHCOVEN profiling servers. Scripts hosted on those servers collect information like the user’s IP address, their browser type and version, the language setting, the referring website, the version of Microsoft Office and browser plug-ins like Java, Flash Player, etc.<\/p>\n

In addition, they also install so-called supercookies or evercookies inside users’ browsers. These cookies are hard to delete and are used to track users across multiple websites.<\/p>\n

“We believe that the computer profiling data gathered by the WITCHCOVEN script, combined\u00a0with the evercookie that persistently identifies a unique user, can \u2013 when combined with basic browser data available from HTTP logs \u2013 be used by cyber threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system,” the FireEye researchers said in their report<\/a>.<\/p>\n

The company has not detected any follow-up exploitation attempts against its customers so far, but this could be because the attackers use a highly-targeted approach to victim selection.<\/p>\n