Feeds

S&M blogger outs web host malware attack

When Google meets kink

Security for virtualized datacentres

A moment of narcissism by a blogger who covers kink, multiple sex partners and other topics has uncovered a sophisticated attack that secretly installed malware on end user machines by compromising thousands of websites maintained by a large webhost and ginning search results on Google.

Ipower, a US-based webhost at the center of at least one previous wide-scale breach, is once again having to explain why it was hosting a fleet of sites that redirected visitors to sites that attempt nasty drive-by installations. The company's CEO said in an email the problem has been fixed, but as of press time we were still able to identify Ipower-hosted sites that were redirecting to malicious servers.

The hacked sites, which could number in the tens of thousands, ranged from the reelection site of a local councilman in California to a Chinese-language forum, according to Franklin Veaux, who recently blogged here about the attack. Miscreants managed to inject an html file into each site with words like "polyamory" and other hot-button keywords designed to get the attention of Google's page-ranking algorithms. When Google users clicked on the search result, they were ultimately shuttled to the drive-by sites.

In May, Ipower came to the attention of researchers at StopBadware.org, who found more than 10,000 compromised websites were being hosted by the Phoenix-based company.

Yes, we've heard of cache spam before. That's a technique by which attackers try to raise the search ranking of malicious sites by spraying the web with links. And the wholesale hijacking of websites so they unwittingly redirect visitors to malicious destinations is nothing new, either. But there are several things that set this attack apart.

For one thing, the attack combines both of these methods, which are among the latest and most effective weapons in web attackers' arsenals. It also exhibits some clever techniques we've not seen before to evade measures designed to foil spam and malware attackers.

For instance, the redirect scripts only work if an end-user's browser is parked at Google. Clicking on an identical link from any other web address results in the common 404 error designating that the requested page doesn't exist. This maneuver helps throw off security personnel. The doctored sites also contain long passages of text that appear to have been published before. Keywords designed to gin Google search rankings are then sprinkled in at random. Using text generated by live humans appears to help throw off Google algorithms designed to sniff out spam.

"This isn't a couple of script kiddies out defacing websites," said Veaux, whose personal blog explores issues relating to S&M, transhumanism and whatever else tickles his fancy. "It appears to be a very sophisticated attack."

Veaux stumbled on the attack after Googling his own name. The search generated 56 pages of results, many of which contained a strange mishmash of text. He soon discovered all but one of the sites were hosted by Ipower and that they redirected him to websites in Eastern Europe. The redirect sites attempted to hose user machines using several known exploits. If none worked, they then invited the visitor to download a malicious Trojan, he said.

It is still unclear exactly how the attackers penetrated such a large number of sites being hosted by a single provider.

On Friday, Ipower CEO Thomas Gorny said less than 1 percent of the sites his company hosts were compromised. With company claims of at least 700,000 customers, that would translate to 7,000.

"Yesterday afternoon, our team implemented a patch that eliminated redirects from impacted customers’ sites," he wrote. "We are continuing to test the effectiveness of the patch, which seems to have resolved the issue."

Well, maybe. Of 70 hacked websites tested following receipt of Gorny's email, eight still funneled users to harmful websites. This Google search lists many of the Ipower-hosted sites that either were or still are compromised. Readers should avoid clicking on the search results themselves unless they know exactly what they're doing. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.