Feeds

S&M blogger outs web host malware attack

When Google meets kink

The essential guide to IT transformation

A moment of narcissism by a blogger who covers kink, multiple sex partners and other topics has uncovered a sophisticated attack that secretly installed malware on end user machines by compromising thousands of websites maintained by a large webhost and ginning search results on Google.

Ipower, a US-based webhost at the center of at least one previous wide-scale breach, is once again having to explain why it was hosting a fleet of sites that redirected visitors to sites that attempt nasty drive-by installations. The company's CEO said in an email the problem has been fixed, but as of press time we were still able to identify Ipower-hosted sites that were redirecting to malicious servers.

The hacked sites, which could number in the tens of thousands, ranged from the reelection site of a local councilman in California to a Chinese-language forum, according to Franklin Veaux, who recently blogged here about the attack. Miscreants managed to inject an html file into each site with words like "polyamory" and other hot-button keywords designed to get the attention of Google's page-ranking algorithms. When Google users clicked on the search result, they were ultimately shuttled to the drive-by sites.

In May, Ipower came to the attention of researchers at StopBadware.org, who found more than 10,000 compromised websites were being hosted by the Phoenix-based company.

Yes, we've heard of cache spam before. That's a technique by which attackers try to raise the search ranking of malicious sites by spraying the web with links. And the wholesale hijacking of websites so they unwittingly redirect visitors to malicious destinations is nothing new, either. But there are several things that set this attack apart.

For one thing, the attack combines both of these methods, which are among the latest and most effective weapons in web attackers' arsenals. It also exhibits some clever techniques we've not seen before to evade measures designed to foil spam and malware attackers.

For instance, the redirect scripts only work if an end-user's browser is parked at Google. Clicking on an identical link from any other web address results in the common 404 error designating that the requested page doesn't exist. This maneuver helps throw off security personnel. The doctored sites also contain long passages of text that appear to have been published before. Keywords designed to gin Google search rankings are then sprinkled in at random. Using text generated by live humans appears to help throw off Google algorithms designed to sniff out spam.

"This isn't a couple of script kiddies out defacing websites," said Veaux, whose personal blog explores issues relating to S&M, transhumanism and whatever else tickles his fancy. "It appears to be a very sophisticated attack."

Veaux stumbled on the attack after Googling his own name. The search generated 56 pages of results, many of which contained a strange mishmash of text. He soon discovered all but one of the sites were hosted by Ipower and that they redirected him to websites in Eastern Europe. The redirect sites attempted to hose user machines using several known exploits. If none worked, they then invited the visitor to download a malicious Trojan, he said.

It is still unclear exactly how the attackers penetrated such a large number of sites being hosted by a single provider.

On Friday, Ipower CEO Thomas Gorny said less than 1 percent of the sites his company hosts were compromised. With company claims of at least 700,000 customers, that would translate to 7,000.

"Yesterday afternoon, our team implemented a patch that eliminated redirects from impacted customers’ sites," he wrote. "We are continuing to test the effectiveness of the patch, which seems to have resolved the issue."

Well, maybe. Of 70 hacked websites tested following receipt of Gorny's email, eight still funneled users to harmful websites. This Google search lists many of the Ipower-hosted sites that either were or still are compromised. Readers should avoid clicking on the search results themselves unless they know exactly what they're doing. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.