Last week, we had two major mass compromises. The first one hit more than 100,000 websites, including major news sites like the Wall Street Journal and the Jerusalem Post. The second campaign was much smaller, hitting only around 1,000 pages, and also lacked similarly high-profile victims although the casino firm Ameristar was on the victim list.

The first attack directed users to http://www.{BLOCKED}nt.us/u.js. Once users go to this URL, they inadvertently download a Trojan detected by Trend Micro as TROJ_DLOAD.VAC. This downloads a malicious file detected as TSPY_GAMETHI.QJB. A very similar payload was used by the second wave.

Target: Online Gamers

What is worth noting here is that TSPY_GAMETHI.QJB stole information related to online gaming sites such as Aion Online, Dungeon Fighter, and World of Warcraft. It is tempting to think that the potential fallout from these are minor but it is not. As pointed out in a late-2008 white paper, the “virtual worlds” in online games pose real security risks.

It is also quite likely that the stolen information are not just related to online games. Last week, an interesting paper was presented at the Workshop on the Economics of Information Security. Written by two University of Cambridge researchers, the paper analyzed how 150 various websites use passwords. The researchers found that many sites used passwords less for security (which was not always consistently implemented) and more for demographic information.

The researchers cited the website of the New York Times, which requires users to state their income, job title, industry, and company size. None of these are particularly needed to deliver news to readers but advertisers would find this information very useful.

With so many sites requiring registration (and thus, a password), this resulted in an overuse of passwords. Unfortunately, the human ability to remember these are limited. The end result? Users recycle passwords for different sites, some of which may use passwords less securely than the rest.

Passwords Matter

The end lesson is actually simple—passwords are passwords, regardless of whether they are used in the way they were intended (for security) or as a means for collecting personal information. Users should know this and behave accordingly. Do not reuse passwords (if needed, use freely available password managers) and change them as needed.

Post from: TrendLabs | Malware Blog - by Trend Micro

Passwords Matter—The Hidden Risks “Minor” Info Stealers Pose

See more on this topic here: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/LqIOmSLRiNs/
Take 10% Off Trend Micro Internet Security Pro 2010! Coupon Code:trendpro

Tags | Trend Micro