11:52 Monetizing Web Site DefacementsWhat used to be a harmless web site defacements back in the old school days, is today's ongoing monetization of defaced web sites, a logical development given the consolidation between different underground parties, evidence of which can be seen in the majority of incidents I've been analyzing recently.
The Africa Middle Market Fund' site is the latest example of a web site defacer is abusing the access to the web server to generate and locally host blackhat SEO pages, which when once access only by searching for the keywords and consequently returning 404 if traffic isn't coming from a search engine, redirect to known rogue security software, in this case, the XP antivirus protection (securityscannersite.com) which you must be familiar with if you were following the assessments of the massive IFRAME SEO poisoning attacks that took place during March this year. More about the found :
"The Africa Middle Market Fund is a private capital fund that invests in small and medium sized African businesses who need from $500,000 up to $2 million to grow and succeed to their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that we care equally about financial performance and social benefit. We are for-profit and insist on our investees employing world standards of financial and business management to maximize their chances of success"
Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point to 23search.org, which is an invitation-only affiliate based network for traffic exchange, connecting different malicious parties together :
"What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money!"
The session is then redirected to drivemedirect.com/soft.php?aid=0195&d=3&product=XPA, as well as to drivemedirect.com/soft.php?aid=0263&d=2&product=XPC to ultimately redirect the user to online-xpcleaner.com/2/freescan.php?aid=880263
Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive techniques to make it harder to analyze them. In this particular campaign for instance, only traffic comming from search engines would get the chance to see the SEO page due to the use of document.referrer tags. Here are some sample monitization practices from what I've seen between the lines of recently defaced sites :
- installing web backdoors and reselling the access to phishers, spammers and malware authors who would have full control over the content, and can therefore do whatever they to with the web server
- installing web based spamming tools that later on will be either used directly by the defacers, or access to the tools sold to those interested in using them
- participating in an affiliate based blackhat SEO networks, where revenue coming of the victims who installed the rogue software is shared among the defacer and the affiliate based network, which doesn't really care how and where is all the traffic coming from
- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting them locally in between sending the phishing emails again using the same host
- selling the access by promoting it based on its page rank
Web site defacements in times when traffic suppliers are efficiently coordinating campaigns with traffic seekers, will mature into a tool for providing malicious infrastructure on demand, just like botnets did. Then again, the endless possibilities provided by insecure web applications are already blurring the lines between web site defacements and SQL injections.
This is Christopher Budd. Im back here on the MSRC weblog after spending some time learning the Privacy side of our business (and getting my CIPP certification).
This advisory is to let customers know that were aware of an issue that is affecting the deployment of the June 2008 security updates. This issue only affects customers using System Center Configuration Manager (ConfigMgr) 2007; none of our other detection or deployment technologies are affected. Also, the issue only affects the deployment of security updates to System Management Server (SMS) 2003 clients of ConfigMgr 2007 servers. This means that to be affected by this issue, you must be running a mixed ConfigMgr 2007 and SMS 2003 environment. If you are not running this specific configuration, this issue does not affect you.
The impact of this issue is that customers in this configuration cannot deploy the June 2008 security updates to their SMS 2003 clients using the Inventory Tool for Microsoft Updates (ITMU).
Our security response process focuses not just on releasing security updates but also on monitoring and making sure customers can deploy them. Because of this, in response to this issue, weve activated our Software Security Incident Response Process (SSIRP) and our engineering teams are working to develop a solution for this issue. Well update the MSRC weblog and the advisory with more information as we have it.
In the meantime, customers can use the Software Distribution within ConfigMgr 2007 to deploy the June security updates as indicated in the security advisory.
Thanks,
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
An IT manager who sought revenge for an unfavorable job evaluation was sentenced to more than five years in federal prison after being convicted of intentionally triggering a massive data collapse on his former employer's computer network.
