Thursday, February 11, 2010

We clearly have a security problem when 64 million webpages have the exact same scam phrase within them.

While inspecting hacked website data I found a phrase that appears to be a signature of a specific type of website infection. The phrase was "buy-phentermine- 37.5mg-without-prescription". This is a lengthy phrase and not likely to be reproduced by a reputable pharmacy in this exact form.

When I used Google to finds out how many websites had this phrase within them, I was shocked. Google reported that 64 Million webpages contain the exact phrase "buy-phentermine- 37.5mg-without-prescription".

Maybe the reported Google number of 64 Million is high. Bing said 24 Million, Yahoo! said 22 Thousand. But either way, this means that there are probably millions of hacked websites out there, with just this one infection. Considering just this one hack has resulting in so many infections, we have to be concerned. Widespread hacking is a serious problem because hacked websites lower the quality, trustworthiness and safety of the whole Internet. Depending on the exact attack used, many of these websites could also be drones in botnets or leaking confidential business or personal information to third parties.

Looking at these exact infections I see they occur on a variety of platforms and are presented in different ways. Some use 'display:none' styling to hide the links, some use 'position:absolute;left:-2000px;' to hide the links, some don't even hide there links. Some infections are focused on taking you to a (fake) online pharmacy to buy the drugs while others seem to be more after search engine ranking inflation. Some don't seem to have any purpose since they simply link to another hacked website. This type might be some type of search rank inflation too, if these linked sites eventually link back to the (fake) online pharmacy.

This pervasiveness is the reason is out to find these hacked websites, inform their owners, and get them fixed. The widespread hacking that we see on the Internet is why the word 'Rescue' is in the name of RescueTheWeb. This is a rescue mission. Anytime there are 64 million of anything you need to pay attention to it.

Website Infections that only express themselves when the HTTP Referrer is Google.

While looking for infected websites, I found a moinmoin based website that was infected with either a .htaccess hack or a software injection hack. The interesting part about this hack was that it only manifested itself when the http referrer was set to

There have been recent articles about malware that only shows when the visitor goes to the infected website through a Google Images frame. However, this new twist applies more broadly to any web content that came up through a Google search.

We can assume the purpose of this new approach to infections is to make it harder for the website owner to find the infected webpage.

The infected content points the user to the website using a "http 302 Found" redirect.