Hot topics

news

Comment

Hackers Embed Spam Into Google Search Listings For Unsuspecting Sites

John Biggs

View Staff Page

Biggs is the East Coast Editor of TechCrunch. Biggs has written for the New York Times, InSync, USA Weekend, Popular Mechanics, Popular Science, Money and a number of other outlets on technology and wristwatches. He is the former editor-in-chief of Gizmodo.com and lives in Bay Ridge, Brooklyn. You can Tweet him here and G+ him here. Email him directly at... → Learn More

Tuesday, December 21st, 2010
Comments

A security scanning company called Sucuri.net has made us aware of a new exploit that adds a unique module to many Apache web servers that will, under the right circumstances, return spam links to Google and certain browsers. This is, in short, one of the first targeted spam systems I’ve seen in the wild.

How does it work? The hackers use an SSH or CMS exploit to gain root access and then install a small module that watches the web server’s traffic over time. When you visit the site normally you’ll see absolutely nothing amiss, even in the source code. For example, the University of the West’s website returns a regular web page and shows no problems in the source. However, when you do a web search for uwest.edu and viagra, you get the infected pages. This indelibly links the potentially popular and trustworthy uwest.edu with the spammer’s URLs.

Our contact at Sucuri.net, David Dede, sent us a partial list of hacked sites:

http://www.jchs.edu
http://www.jmkac.org
http://www.legal-library.co.uk
http://www.linnean.org
http://www.master-photonics.org
http://www.menshealthnetwork.org
http://www.moc.edu
http://www.mulchblog.com
http://www.no-fuel.org
http://www.oecs.org
http://www.prairiepublic.org
http://www.projectapproach.org
http://www.renewable-energy-watch.org
http://www.savethewildup.org
http://www.thedigest.com
http://www.tumenprogram.org
http://www.uinteramericana.edu
http://www.umoncton.ca
http://www.unionsportsmen.org
http://www.uwest.edu
http://www.wcwonline.org

Most of the hacked accounts are .edu domains that are rarely maintained or updated.

What can you do if you’re hacked? Well, first update all of your passwords, hit the gym, wipe and reinstall your webserver, and install the latest version of your favorite CMS. Unfortunately, the only way to tell if your site is affected is to visit it through Google with the search term “viagra” or any similar phrase. This same hack will also install malware in some rare occasions (CrunchGear, I believe, was recently hit) so that is another major concern.

The groups or individual hackers are fairly diligent. David reports that “I saw some of their scripts and they have a list of 20+ vulnerabilities that they try on every site. Once they are inside, they create shells, backdoors and things like that.” Might make a good pre-holiday week project to lock down your server over the next few days.

Crunchbase

Company: Google
Website: google.com
Launch Date: September 7, 1998
IPO: NASDAQ:GOOG

Google provides search and advertising services, which together aim to organize and monetize the world’s information. In addition to its dominant search engine, it offers a plethora of online tools and platforms including: Gmail, Maps, YouTube, and Google+, the company’s extension into the social space. Most of its Web-based products are free, funded by Google’s highly integrated online advertising platforms AdWords and AdSense. Google promotes the idea that advertising should be highly targeted and relevant to users thus providing...

→ Learn more

blog comments powered by Disqus