Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches

Malware scripts morph from site to site, and even from page to page, within the same site, ScanSafe researchers say

A Web-borne malware attack that redirects users' Internet searches is growing "exponentially," and has already infected more than 2,300 Websites, researchers said today.

Researchers at security company ScanSafe are warning users about an emerging series of Website compromises, collectively dubbed "Gumblar," which are spreading at a rapid rate. In the past week, Gumblar site compromises have grown at a rate of 188 percent, making it one of the fastest-growing infections on the Web, ScanSafe says.

"It should be waning by now, but it isn't," says Mary Landesman, senior security researcher at ScanSafe. "It just keeps spreading."

Gumblar, which has been spotted on popular sites such Tennis.com, Variety.com, and Coldwellbanker.com, is believed to be growing rapidly due to its unique combination of characteristics. The malware resulting from Gumblar forcibly redirects search page results to sites other than those users expect. Many of these pages are imitations of the Websites users actually intended to visit.

"For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," ScanSafe reports. "The Trojan could then allow cybercriminals control of the victim's computer, leading to a myriad of security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise -- a common malware propagation tactic."

One of Gumblar's exploits is to launch a "man-in-the-browser attack," in which the downloaded malware monitors all traffic to and from the browser, Landesman says. From this position, the malware can selectively swap out links in search results, effectively fooling the user into going to an unintended site.

Landesman speculates that Gumblar might be operating as a "botnet for hire," achieving different ends for different "clients." In many cases, the attack seems to be facilitating click fraud, in which the criminal simply redirects Web traffic to a fraud site in order to collect page views and advertising revenue. In other cases, Gumblar is routing users to malicious sites that might load additional malware onto the user's machine.

"A third potential exploit, which we haven't seen yet, is to redirect users from e-commerce or banking sites for the purpose of fraud, like a traditional phishing attack," Landesman says.

Gumblar is difficult to detect because its scripts vary from site to site, and even from page to page, Landesman says. "The cybercriminals responsible for Gumblar have learned to morph its features quickly," Landesman says. "This, coupled with Gumblar's other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we've seen."

The rapidly changing nature of the attack also makes it difficult for traditional signature detection or blacklisting tools to block, Landesman says. "If you were an individual user, I'd just tell you to disable JavaScript," she says. "But that's not possible for most businesses to do."

ScanSafe is attacking the problem via Web filtering, essentially preventing the user from going to the Gumblar sites and being infected in the first place, Landesman says. "Prevention is really the only workable defense because once you've been infected and your FTP credentials have been stolen, the criminal can modify passwords and make it difficult for you to get control back," she says.

The Gumblar Website, which dishes out the malware, is going to be difficult to find and bring down, Landesman says. While the site itself has a Chinese registry (Gumblar.cn), its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K. "The criminals are doing a really good job of hiding their actual location," she says.

ScanSafe has posted blogs on its Website that describe the malware and its potential effects on enterprises and end users. The company will continue to post updates as the attack spreads, Landesman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...
PUBLISHED: 2021-01-26
A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be executed.
PUBLISHED: 2021-01-26
A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the request.
PUBLISHED: 2021-01-26
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,