Public reports are indicating that some TCP traffic that is passed through certain networks in Asia may be redirected to malicious websites. Full details of the attacks are unclear, but they could be a result of a malicious code outbreak, DNS compromise, non-blind TCP spoofing attacks, or another man-in-the-middle style of attack.
Non-blind TCP spoofing attacks refer to TCP attacks where attackers reside on the same subnet as the targeted user, or along the path of a user's traffic. Because the attacker has visibility into the victim's traffic, he or she can determine the sequence and acknowledge (SEQ/ACK) numbers; if these numbers are known, the attacker can accurately spoof the victim's desired destination. Successful spoofing could result in session hijacking, redirection, or other interference or inspection of the victim's traffic.
Non-blind TCP spoofing attacks take place between a user and the destination device or application when an attacker is attempting to locate valid SEQ/ACK packets. This type of attack could allow an attacker to redirect packets with valid SEQ/ACK numbers to a user, which may redirect the user's browser session to a malicious website. Public sources indicate that this website was hxxp://www.dachengkeji.com/aritcle/index.htm, but the URL has become unreachable. Attacks could redirect users to other malicious sites or compromised legitimate sites that may subsequently infect systems with malicious code or allow attackers to perform other malicious activities.
The following websites may redirect users:
Users should also be aware of the possibility of web redirects and use caution even when visiting well-known and trusted websites. For assistance in verifying the authenticity of URLs, users can check the reputation of an IP address or domain using web reputation tools.