Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors.
It was loaded onto visitor computers who failed to apply a February Adobe Flash patch (CVE-2014-0497), which would capture a decent number of victims who still ignore software updates.
This FlashPack delivered the Carberp trojan that opened a backdoor in victim machines to steal data.
Some 87 percent of victims were from Japan, while the others heralded from the United States, Taiwan and India.
"It's one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it's another thing to load scripts on little-known servers with no name to protect."
Chen advised web admins to be "very cautious" when incorporating add-ons to websites which relied on externally hosted scripts because it was "trivial" to use these to compromise visitors.
Bad add-ons could also slow down site performance.
A better choice was to use add-ons that kept everything within the same server and for users to maintain up to date with software security patches.
It was unknown but likely that the trojan payload would be detected by most antivirus vendors. ®