Scammers have published various advertisements for hacking services on the official websites of multiple U.S. state, county and local governments, a federal agency, as well as numerous universities.
The advertisements were contained in PDF files uploaded to official .gov websites belonging to the state governments of California, North Carolina, New Hampshire, Ohio, Washington and Wyoming; St. Louis County in Minnesota, Franklin County in Ohio, Sussex County in Delaware; the town of Johns Creek in Georgia; and the federal Administration for Community Living.
Scammers also uploaded similar ads on the .edu websites of several universities: UC Berkeley, Stanford, Yale, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan Community College, University of Washington, University of Pennsylvania, University of Texas Southwestern, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Community Colleges of Spokane, Empire State University, Smithsonian Institution, Oregon State University, University of Buckingham in the U.K., and Universidad Del Norte in Colombia.
Apart from .gov and .edu sites, other victims include Spain’s Red Cross; the defense contractor and aerospace manufacturer Rockwell Collins — part of Collins Aerospace and a subsidiary of the defense giant Raytheon; and an Ireland-based tourism company.
The PDFs link to several different websites, some of them advertising services that claim to be able to hack into Instagram, Facebook and Snapchat accounts; services to cheat in video games; and services to create fake followers.
“BEST way to Hack Insta 2021,” one PDF read. “If you are looking to hack Instagram account (either yours which you got locked out from or your friend), InstaHacker is the right place to look for. We, at InstaHacker, provides our users with easy Instagram hack solutions that are safe and completely free from any malicious intentions [sic throughout].”
Some of the documents have dates that suggest they may have been online for years.
These advertisements were found by John Scott-Railton, a senior researcher at the Citizen Lab. It’s unclear if the sites he found — and we have listed — are a complete list of the sites affected by this massive spam campaign. And given how many websites were displaying very similar advertisements, the same group or individual may be behind them all.
“SEO PDF uploads are like opportunistic infections that flourish when your immune system is suppressed. They show up when you have misconfigured services, unpatched CMS [content management system] bugs, and other security problems,” said Scott-Railton.
While this campaign seems to be complex, massive and at the same time a seemingly harmless SEO play to promote scam services, malicious hackers could have exploited the same flaws to do much more damage, according to Scott-Railton.
“In this case the PDFs they uploaded just had text pointing to a scam service that might also be malicious as far as we know, but they could very well have uploaded PDFs with malicious contents,” he said. “Or malicious links.”
Zee Zaman, a spokesperson for U.S. cybersecurity agency, CISA said that the agency “is aware of apparent compromises to certain government and university websites to host search engine optimization (SEO) spam. We are coordinating with potentially impacted entities and offering assistance as needed.”
TechCrunch inspected some of the websites advertised in the PDFs, and they appear to be part of a convoluted scheme to generate money through click-fraud. The cybercriminals appear to be using open source tools to create popups to verify that the visitor is a human, but are actually generating money in the background. A review of the websites’ source code suggests the hacking services as advertised are likely fake, despite at least one of the sites displaying the profile pictures and names of alleged victims.
Several victims told TechCrunch that these incidents are not necessarily signs of a breach, but rather the result of scammers exploiting a flaw in online forms or a content management system (CMS) software, which allowed them to upload the PDFs to their sites.
Representatives for three of the victims — the town of Johns Creek in Georgia, the University of Washington, and Community Colleges of Spokane — all said that the issue was with a content management system called Kentico CMS.
It’s not entirely clear how all of the sites were affected. But representatives of two different victims, the California Department of Fish and Wildlife and University of Buckingham in the U.K., described techniques that appear to be the same, but without mentioning Kentico.
“It appears an external person took advantage of one of our reporting mechanisms to upload PDFs instead of pictures,” David Perez, a cybersecurity specialist at the California Department of Fish and Wildlife told TechCrunch.
The department has several pages where citizens can report sightings of poaching and injured animals, among other issues. The department’s deputy director of communications Jordan Traverso said that there was a misconfigured form in the page to report sick or dead bats, but the site “was not actually compromised” and the issue was resolved and the department removed the documents.
Roger Perkins, a spokesperson for the University of Buckingham, said that “these pages are not the result of hacking but are old ‘bad pages’ resulting from the use of a form — basically they’re spam and are now in the process of being removed […] there was a public-facing form (no longer in existence) that these people took advantage of.”
Tori Pettis, a spokesperson for the Washington Fire Commissioners Association, one of the affected agencies, told TechCrunch that the files have been removed. Pettis said she was not sure whether the issue was with Kentico, and that “the site hasn’t been hacked, however, there was a vulnerability which was previously allowing new members to upload files into their accounts before the profile was completed.”
Jennifer Chapman, senior communications manager at the town of Johns Creek, said that “we worked with our hosting company to remove the PDFs in question and resolve the issue.”
Ann Mosher, public affairs officer for the Administration for Community Living, said the pages “have been taken down.”
Leslie Sepuka, the associate director of university communications at the University of California San Diego, said that “unauthorized PDFs were uploaded to this site. The files have been removed and changes have been made to prevent further unauthorized access. All users with access to the website have also been asked to reset their passwords.”
Victor Balta, spokesperson for the University of Washington, said “the issue appears to have stemmed from an out-of-date and vulnerable plugin module on the website, which allowed for content to be uploaded into a public space.” The spokesperson added that, “there is no indication of any deeper impact or compromise of access or data within the relative system.”
Balta attributed the issue to Kentico.
Thomas Ingle, director of technology services at Community Colleges of Spokane, said that the problem was a Windows Server running Kentico, and that “we had documents uploaded (in this case the PDF you referenced) that other servers that were hijacked were pointing to.”
Janet Gilmore, a spokesperson for UC Berkeley, said: “There was a vulnerability found on this website,” referring to the site where the hacking ads were posted, and that the issue was rectified “to prevent this from happening again in the future.”
The rest of the named organizations did not respond to TechCrunch’s inquiries. Several calls and emails to Kentico Software were unreturned, but a short time after publication, Kentico confirmed it had been “informed about some compromised websites in the past.”
“We are aware of this particular risk that could have happened with Kentico 12 or older versions. This was identified years ago as a result of a misconfiguration, and we already addressed it at the time and changed our documentation,” said Kentico chief information security officer Juraj Komlosi in a statement.
The ultimate damage of this spam campaign is and will end up being minimal, but having the ability to upload content to .gov websites would be concerning, not just for the .gov websites in question, but for the whole U.S. government.
It has already happened. In 2020, Iranian hackers broke into a U.S. city’s website with the apparent goal of altering the vote counts. And elections officials have expressed concern for hackers hacking into election-related websites.
Updated on June 5 with a statement from Kentico.