Feeds

S&M blogger outs web host malware attack

When Google meets kink

Choosing a cloud hosting partner with confidence

A moment of narcissism by a blogger who covers kink, multiple sex partners and other topics has uncovered a sophisticated attack that secretly installed malware on end user machines by compromising thousands of websites maintained by a large webhost and ginning search results on Google.

Ipower, a US-based webhost at the center of at least one previous wide-scale breach, is once again having to explain why it was hosting a fleet of sites that redirected visitors to sites that attempt nasty drive-by installations. The company's CEO said in an email the problem has been fixed, but as of press time we were still able to identify Ipower-hosted sites that were redirecting to malicious servers.

The hacked sites, which could number in the tens of thousands, ranged from the reelection site of a local councilman in California to a Chinese-language forum, according to Franklin Veaux, who recently blogged here about the attack. Miscreants managed to inject an html file into each site with words like "polyamory" and other hot-button keywords designed to get the attention of Google's page-ranking algorithms. When Google users clicked on the search result, they were ultimately shuttled to the drive-by sites.

In May, Ipower came to the attention of researchers at StopBadware.org, who found more than 10,000 compromised websites were being hosted by the Phoenix-based company.

Yes, we've heard of cache spam before. That's a technique by which attackers try to raise the search ranking of malicious sites by spraying the web with links. And the wholesale hijacking of websites so they unwittingly redirect visitors to malicious destinations is nothing new, either. But there are several things that set this attack apart.

For one thing, the attack combines both of these methods, which are among the latest and most effective weapons in web attackers' arsenals. It also exhibits some clever techniques we've not seen before to evade measures designed to foil spam and malware attackers.

For instance, the redirect scripts only work if an end-user's browser is parked at Google. Clicking on an identical link from any other web address results in the common 404 error designating that the requested page doesn't exist. This maneuver helps throw off security personnel. The doctored sites also contain long passages of text that appear to have been published before. Keywords designed to gin Google search rankings are then sprinkled in at random. Using text generated by live humans appears to help throw off Google algorithms designed to sniff out spam.

"This isn't a couple of script kiddies out defacing websites," said Veaux, whose personal blog explores issues relating to S&M, transhumanism and whatever else tickles his fancy. "It appears to be a very sophisticated attack."

Veaux stumbled on the attack after Googling his own name. The search generated 56 pages of results, many of which contained a strange mishmash of text. He soon discovered all but one of the sites were hosted by Ipower and that they redirected him to websites in Eastern Europe. The redirect sites attempted to hose user machines using several known exploits. If none worked, they then invited the visitor to download a malicious Trojan, he said.

It is still unclear exactly how the attackers penetrated such a large number of sites being hosted by a single provider.

On Friday, Ipower CEO Thomas Gorny said less than 1 percent of the sites his company hosts were compromised. With company claims of at least 700,000 customers, that would translate to 7,000.

"Yesterday afternoon, our team implemented a patch that eliminated redirects from impacted customers’ sites," he wrote. "We are continuing to test the effectiveness of the patch, which seems to have resolved the issue."

Well, maybe. Of 70 hacked websites tested following receipt of Gorny's email, eight still funneled users to harmful websites. This Google search lists many of the Ipower-hosted sites that either were or still are compromised. Readers should avoid clicking on the search results themselves unless they know exactly what they're doing. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.