Cybercriminals possess the credentials needed to access more than 7,000 FTP servers belonging to organizations from all over the world, including small businesses, ISPs, multinational corporations and individual accounts.
The hackers are using this access to host malware, scam websites, rogue pharmacies, exploits and other content.
According to experts, the attackers have planted PHP scripts with backdoors and viruses in a number of directories in hopes that they can gain access to the targeted organizations’ web services. HTML files that seamlessly redirect users to malicious sites have also been uploaded to the compromised servers.
The FTP sites are hijacked in several ways. Some of them are easy to compromise because they use anonymous, default of publicly available credentials. Botnets also aid cybercriminals in gathering FTP credentials.
Hold Security’s Chief Information Security Officer Alex Holden has told IDG that the list of affected servers includes ones operated by The New York Times and UNICEF. NYT representatives have told the publication that they’re working on securing the server in question.
The security experts discovered that the attackers had uploaded an HTML file to NYT’s server. Cybercriminals could have tricked users into clicking on a link to lure them to the NYT FTP site, from where they would be redirected to a website hosting a work-from-home scam.
UNICEF says that the affected FTP application is part of a system that’s no longer in use, so they’ve disabled it. The organization’s representatives have explained that they rely on the services of third parties to ensure that their systems are not vulnerable.
Hold Security urges companies to review their FTP implementations to ensure that their servers cannot be abused by cybercriminals. End users, on the other hand, should be careful what embedded links they click on in order to avoid ending up on malicious websites.