Malicious hackers have, for many years, been offering services to unscrupulous individuals and companies for monetary compensation. With the growth of Email Spam advertising everything from medical supplements to cars and lottery tickets, email scrubbers and filters have taken the game up a notch by implementing ever increasing layers of complexity to cut down on such spam. In turn, hackers have started to focus on advertising spam, such as medication and fraudulent scams by compromising web-based message boards and forums.
Hackers employ two basic techniques:
- Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
- Exploiting Web Application vulnerabilities in the software used to run the forum.
Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.
The aim of the experiment:
- What percentage of websites which advertise online pharmacies are message boards and Internet forums?
- What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?
We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.
Testing methodology:
We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.
The test was conducted between January 21st and January 23rd, 2010.
Popular software packages installed on compromised forums and message boards.
We present the most interesting results below:
- 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
- None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
- 20.28% of forums displaying “online pharmacy” spam were using Jquery.
- 15.73% of forums displaying “online pharmacy” spam were using phpBB.
- 11.54% of forums displaying “online pharmacy” spam were using WordPress.
- 10.84 % of forums displaying “online pharmacy” spam were using Mootools.
These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.
This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.
Read more…
Company, News, Report
google, malware, online pharmacy spam, safebrowsing, spam
