S&M blogger outs web host malware attack

When Google meets kink


A moment of narcissism by a blogger who covers kink, multiple sex partners and other topics has uncovered a sophisticated attack that secretly installed malware on end user machines by compromising thousands of websites maintained by a large webhost and ginning search results on Google.

Ipower, a US-based webhost at the center of at least one previous wide-scale breach, is once again having to explain why it was hosting a fleet of sites that redirected visitors to sites that attempt nasty drive-by installations. The company's CEO said in an email the problem has been fixed, but as of press time we were still able to identify Ipower-hosted sites that were redirecting to malicious servers.

The hacked sites, which could number in the tens of thousands, ranged from the reelection site of a local councilman in California to a Chinese-language forum, according to Franklin Veaux, who recently blogged here about the attack. Miscreants managed to inject an html file into each site with words like "polyamory" and other hot-button keywords designed to get the attention of Google's page-ranking algorithms. When Google users clicked on the search result, they were ultimately shuttled to the drive-by sites.

In May, Ipower came to the attention of researchers at StopBadware.org, who found more than 10,000 compromised websites were being hosted by the Phoenix-based company.

Yes, we've heard of cache spam before. That's a technique by which attackers try to raise the search ranking of malicious sites by spraying the web with links. And the wholesale hijacking of websites so they unwittingly redirect visitors to malicious destinations is nothing new, either. But there are several things that set this attack apart.

For one thing, the attack combines both of these methods, which are among the latest and most effective weapons in web attackers' arsenals. It also exhibits some clever techniques we've not seen before to evade measures designed to foil spam and malware attackers.

For instance, the redirect scripts only work if an end-user's browser is parked at Google. Clicking on an identical link from any other web address results in the common 404 error designating that the requested page doesn't exist. This maneuver helps throw off security personnel. The doctored sites also contain long passages of text that appear to have been published before. Keywords designed to gin Google search rankings are then sprinkled in at random. Using text generated by live humans appears to help throw off Google algorithms designed to sniff out spam.

"This isn't a couple of script kiddies out defacing websites," said Veaux, whose personal blog explores issues relating to S&M, transhumanism and whatever else tickles his fancy. "It appears to be a very sophisticated attack."

Veaux stumbled on the attack after Googling his own name. The search generated 56 pages of results, many of which contained a strange mishmash of text. He soon discovered all but one of the sites were hosted by Ipower and that they redirected him to websites in Eastern Europe. The redirect sites attempted to hose user machines using several known exploits. If none worked, they then invited the visitor to download a malicious Trojan, he said.

It is still unclear exactly how the attackers penetrated such a large number of sites being hosted by a single provider.

On Friday, Ipower CEO Thomas Gorny said less than 1 percent of the sites his company hosts were compromised. With company claims of at least 700,000 customers, that would translate to 7,000.

"Yesterday afternoon, our team implemented a patch that eliminated redirects from impacted customers’ sites," he wrote. "We are continuing to test the effectiveness of the patch, which seems to have resolved the issue."

Well, maybe. Of 70 hacked websites tested following receipt of Gorny's email, eight still funneled users to harmful websites. This Google search lists many of the Ipower-hosted sites that either were or still are compromised. Readers should avoid clicking on the search results themselves unless they know exactly what they're doing. ®

Broader topics


Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022