Feeds

S&M blogger outs web host malware attack

When Google meets kink

Top 5 reasons to deploy VMware with Tegile

A moment of narcissism by a blogger who covers kink, multiple sex partners and other topics has uncovered a sophisticated attack that secretly installed malware on end user machines by compromising thousands of websites maintained by a large webhost and ginning search results on Google.

Ipower, a US-based webhost at the center of at least one previous wide-scale breach, is once again having to explain why it was hosting a fleet of sites that redirected visitors to sites that attempt nasty drive-by installations. The company's CEO said in an email the problem has been fixed, but as of press time we were still able to identify Ipower-hosted sites that were redirecting to malicious servers.

The hacked sites, which could number in the tens of thousands, ranged from the reelection site of a local councilman in California to a Chinese-language forum, according to Franklin Veaux, who recently blogged here about the attack. Miscreants managed to inject an html file into each site with words like "polyamory" and other hot-button keywords designed to get the attention of Google's page-ranking algorithms. When Google users clicked on the search result, they were ultimately shuttled to the drive-by sites.

In May, Ipower came to the attention of researchers at StopBadware.org, who found more than 10,000 compromised websites were being hosted by the Phoenix-based company.

Yes, we've heard of cache spam before. That's a technique by which attackers try to raise the search ranking of malicious sites by spraying the web with links. And the wholesale hijacking of websites so they unwittingly redirect visitors to malicious destinations is nothing new, either. But there are several things that set this attack apart.

For one thing, the attack combines both of these methods, which are among the latest and most effective weapons in web attackers' arsenals. It also exhibits some clever techniques we've not seen before to evade measures designed to foil spam and malware attackers.

For instance, the redirect scripts only work if an end-user's browser is parked at Google. Clicking on an identical link from any other web address results in the common 404 error designating that the requested page doesn't exist. This maneuver helps throw off security personnel. The doctored sites also contain long passages of text that appear to have been published before. Keywords designed to gin Google search rankings are then sprinkled in at random. Using text generated by live humans appears to help throw off Google algorithms designed to sniff out spam.

"This isn't a couple of script kiddies out defacing websites," said Veaux, whose personal blog explores issues relating to S&M, transhumanism and whatever else tickles his fancy. "It appears to be a very sophisticated attack."

Veaux stumbled on the attack after Googling his own name. The search generated 56 pages of results, many of which contained a strange mishmash of text. He soon discovered all but one of the sites were hosted by Ipower and that they redirected him to websites in Eastern Europe. The redirect sites attempted to hose user machines using several known exploits. If none worked, they then invited the visitor to download a malicious Trojan, he said.

It is still unclear exactly how the attackers penetrated such a large number of sites being hosted by a single provider.

On Friday, Ipower CEO Thomas Gorny said less than 1 percent of the sites his company hosts were compromised. With company claims of at least 700,000 customers, that would translate to 7,000.

"Yesterday afternoon, our team implemented a patch that eliminated redirects from impacted customers’ sites," he wrote. "We are continuing to test the effectiveness of the patch, which seems to have resolved the issue."

Well, maybe. Of 70 hacked websites tested following receipt of Gorny's email, eight still funneled users to harmful websites. This Google search lists many of the Ipower-hosted sites that either were or still are compromised. Readers should avoid clicking on the search results themselves unless they know exactly what they're doing. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.