Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development

    Site Hacking for Malice and Profit

    By
    Larry Seltzer
    -
    November 28, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Early this year I noted that Web site hacking is where it is at. Vulnerabilities in server-based software are a growing trend and management practices make it more likely that such sites will go unnoticed.

      As 2007 comes to a close, we see another wave of such attacks, especially those that attempt to manipulate search engines as part of the scheme. It hasnt gotten a whole lot of coverage until now. Everything I see about it says it will grow in 2008.

      Humans have replaced buggy software to become the primary target of online crime, according to the SANS Institute. Click here to read more.

      The dominant method for hacking client PCs has become the Trojan horse, delivered through a strong social engineering angle, such as the fake greeting card, or the fake anti-spyware program, or the codec for the video you were sent. With servers its different. Vulnerabilities, especially vulnerabilities in server-based applications, are key.

      The most common attack vectors seem to be PHP and PHP-based applications, such as WordPress. Vulnerabilities are found periodically in these systems. Even if they arent especially noteworthy for their security flaws (and they are), they dont get upgraded with the same urgency as clients. Even worse, low-cost hosting services often run thousands of cheap Web sites on a single server. A resourceful attacker can compromise all of them. (That may be a bad idea tactically, as it will draw attention.)

      Based on what weve seen in the last year, the favorite targets for these compromises are university and government sites. Its actually quite astonishing how often you find government sites serving pornography and other objectionable content. Clearly they dont put a lot of effort into security.

      Another one of these PHP sites is Al Gores climatecrisis.net. It just got hacked, as described here by Symantec. The site was serving numerous links to pages with pharmaceutical information (notice that theyre hosted on a .edu site). The links were invisible to visitors to Gores site, but they did succeed in getting good search engine karma for the pharmaceutical pages.

      Search engine ranking is becoming the main intermediate currency for many of these attacks. If you can get a good ranking, youll get hits, and youll get sales. Thats the theory. I dont think its proven, but maybe it works. The same people go for search engine ranking through other means, like blog comment spam and trackback spam. Click here for more examples of search engine whoring.

      The other vector weve seen for compromising servers is ad networks. As we reported earlier in November, news sites you have heard of were serving redirects to sites pushing fake anti-malware and utility software. The two factors that really made this possible were ad networks not scrutinizing their content sufficiently and obscenely complex code on the news sites.

      Malware in ads is nothing new. Its been going on for years in shadier circles, like porn sites and wrestling sites (yes, wrestling). But it does show how even high-profile sites are at risk of compromise through the backdoor.

      Contrary to most of the predictions I see, I think that client-based malware is headed for a decline. Attitudes, modern operating systems and standard practices are getting to the point where its harder to slip stuff by without the user at least seeing something going on, and harder still to make an attack persistent.

      Things are different on the server, at least out of business circles. Security management is actually rather slack, and especially on Linux servers admins must think theyre invincible. The defense side does not seem to be getting any better, and attackers are getting more experience and more sophisticated. This is why youll read a lot more about this sort of attack in 2008.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      More from Larry Seltzer

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

      Avatar
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×