The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.
In March, two SFO websites were found to have been compromised by hackers and injected with code designed to steal visitors’ Windows login credentials. The websites, SFOConnect.com and SFOConstruction.com, contain information on various airport-related topics but enjoy low traffic.
The code discovered on the websites, SFO revealed, was targeting only those visiting from outside the airport network, via Internet Explorer from Windows-based machines.
To contain the attack, SFO took down the websites and also prompted a reset of all SFO-related email and network passwords on March 23.
Some researchers noted at the time that the attack resembled that of a Magecart group, which usually injects malicious code into ecommerce websites to steal users’ credit card data.
However, ESET’s security researchers took it to Twitter to point out that the attack was targeting Windows credentials and that it should not be linked to Magecart stealers.
“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials,” ESET noted.
The security firm also pointed out that the compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly.
Also known as Crouching Yeti and Energetic Bear, the ..
Support the originator by clicking the read the rest link below.
