AARP Site Hacked and Spammed
There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.
First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.
This provides hackers with multiple benefits. Among them:
- Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
- The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
- Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.
Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.
As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.
Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.
Just ask the AARP.
(Note: The above image is from a non JavaScript auto-redirecting post.)
Start here;
http://vurl.mysteryfcm.co.uk/?url=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=4&ref=
Next, it leads you to;
http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/in.cgi?2¶meter=teen+galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://www.aarp.org/community/c1w2y8
If you look at the headers (displayed just above the source code), you'll notice the 301 via joyfulclipz.com followed by the 302 via breeddirect.com.
The final result, is the Zlob trojan, courtesy of movsdevices.com, as shown in the source at the following.
http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/st/st.php?cat=63&script=1&url=http://www.wootmovs.com/m4/index.php?id=1117&n=teen&a=fireplace&v=2133734&preview=http://img2.joyfulclipz.com/st/thumbs/010/7598829497.jpg&p=100&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://plzwait.info/in.cgi?2¶meter=teen%20galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8
Sites involved:
breeddirect.com (78.157.143.200)
joyfulclipz.com (78.108.177.124)
img2.joyfulclipz.com (78.108.177.124, also valid as img1-4.)
wootmovs.com (78.157.143.133)
movsdevices.com (77.91.231.201)
This seems to be a CSRF attack.
Saturday, April 11, 2009
