Site Hacking for Malice and Profit

Opinion: It's the obligatory trend story. We've seen a lot of it in 2007 and there's every reason to believe there will be more in 2008.

Early this year I noted that Web site hacking is where it is at. Vulnerabilities in server-based software are a growing trend and management practices make it more likely that such sites will go unnoticed.

As 2007 comes to a close, we see another wave of such attacks, especially those that attempt to manipulate search engines as part of the scheme. It hasnt gotten a whole lot of coverage until now. Everything I see about it says it will grow in 2008.


Humans have replaced buggy software to become the primary target of online crime, according to the SANS Institute. Click here to read more.

The dominant method for hacking client PCs has become the Trojan horse, delivered through a strong social engineering angle, such as the fake greeting card, or the fake anti-spyware program, or the codec for the video you were sent. With servers its different. Vulnerabilities, especially vulnerabilities in server-based applications, are key.

The most common attack vectors seem to be PHP and PHP-based applications, such as WordPress. Vulnerabilities are found periodically in these systems. Even if they arent especially noteworthy for their security flaws (and they are), they dont get upgraded with the same urgency as clients. Even worse, low-cost hosting services often run thousands of cheap Web sites on a single server. A resourceful attacker can compromise all of them. (That may be a bad idea tactically, as it will draw attention.)

Based on what weve seen in the last year, the favorite targets for these compromises are university and government sites. Its actually quite astonishing how often you find government sites serving pornography and other objectionable content. Clearly they dont put a lot of effort into security.

Another one of these PHP sites is Al Gores It just got hacked, as described here by Symantec. The site was serving numerous links to pages with pharmaceutical information (notice that theyre hosted on a .edu site). The links were invisible to visitors to Gores site, but they did succeed in getting good search engine karma for the pharmaceutical pages.

Search engine ranking is becoming the main intermediate currency for many of these attacks. If you can get a good ranking, youll get hits, and youll get sales. Thats the theory. I dont think its proven, but maybe it works. The same people go for search engine ranking through other means, like blog comment spam and trackback spam. Click here for more examples of search engine whoring.

The other vector weve seen for compromising servers is ad networks. As we reported earlier in November, news sites you have heard of were serving redirects to sites pushing fake anti-malware and utility software. The two factors that really made this possible were ad networks not scrutinizing their content sufficiently and obscenely complex code on the news sites.

Malware in ads is nothing new. Its been going on for years in shadier circles, like porn sites and wrestling sites (yes, wrestling). But it does show how even high-profile sites are at risk of compromise through the backdoor.

Contrary to most of the predictions I see, I think that client-based malware is headed for a decline. Attitudes, modern operating systems and standard practices are getting to the point where its harder to slip stuff by without the user at least seeing something going on, and harder still to make an attack persistent.

Things are different on the server, at least out of business circles. Security management is actually rather slack, and especially on Linux servers admins must think theyre invincible. The defense side does not seem to be getting any better, and attackers are getting more experience and more sophisticated. This is why youll read a lot more about this sort of attack in 2008.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack