AdSense Blackmail – Hacking Websites for Profit

We deal with different types of malware injections and compromises everyday and the most common question our clients ask us is, “Why me? Why my small little site?”

There are so many answers to this question. In some cases, someone may attack a site for fun, they may do so in the name of “Hacktivism” or it could be someone trying to prove what he/she can do. However, most of the time, it’s done for the same reason most unethical things are done:

Show me the Money!

As in many other walks of life, if there is money to be made unethically by attacking websites, then there will be some people out there willing to make it. Unfortunately there is a LOT of money to be made by taking advantage of websites that don’t have security measures put in place.

People hack sites for money. They make money distributing malware, SEO spam and even phishing. While we still encounter defacements and some other activities that do not give monetary gain to an attacker, money is the most common reason we see for attacks on websites.

To illustrate this point, we recently resolved a case where a customer was being blackmailed regarding a Google AdSense account. AdSense extortion isn’t new (there are several reports from users complaining about it), but this client’s story helps to explain what it could mean for “your small site,” and why it makes sense for an attacker to target many small sites without security measures in place instead of a couple of large ones that may offer a bigger reward per site but be more difficult to attack.

Lets get to our client’s story:

The first contact from the bad guy to our client (all misspellings and grammatical errors sic’d):

“dnt bother ur self changing paswords coz im everywhere on the net
reply and we make a deal i dnt want to destroy ur site and server
so if u want better solution contact me it is better for u i have nothing to loose”

That e-mail was followed by this one:

“you got what i mean Now
i want my adsence to stay in ur site and u dnt change them otherwise beleive me i can destroy The net nt just ur site but everything That has relation with you,im realy so shy and dnt want problem just want some money from adsence
dnt enter ur self in big hacking things”

And then this one:

“Hello i dnt want to destroy you so dnt try to be against me
i saw u r using google adsence and me too i want my google adsence banners on ur site
so choose !!!! ”

Finally, this email was received just before we finished cleaning the website:

“Look Admin i Was So Gentle With U
And u Tried to play with me a lot
You Know Now That im Inside Your Machine and Your firewall can do nothing
You Changed the adsence In Your site and deleted Mine So Me too I Will Dele=
te Yours
But Not Your adsence I Will Delete Your Database
Coz Whenever You Change Password i have The new Password

$database_host = ‘localhost’
$database_username = ‘xxxxx’
$database_password = ‘xxxx’
$database_name = ‘xxxx’

Look Dnt Even Try To Play
put back my adsence if i dnt see my adsence
i will delete everything
and folow you where ever u go
be Tuned
XXXXXXX 1337 Hacker”

Please forgive the english above, but it’s really what the “bad guy” wrote, and we wanted to paste as is to give you a sense of what this webmaster had to deal with and the harsh reality of what many of you are likely dealing with. The attacker was threatening a webmaster and trying to force them to add the attacker’s AdSense banners into the site. That would in turn transfer all revenue from the website to the attacker instead of allowing it to flow to the site owner.

The benefit of this scheme is simple; economic return for the attacker. Imagine the attacker doing this to hundreds, if not thousands, of website owners like yourself, and this starts painting a very lucrative opportunity for hackers of all shades.

The kicker here is that this isn’t extremely difficult to do. Many website owners, large and small, lack the fundamental system administration / security insights required to truly prevent and / or address scenarios like this. Example of such issues can be traced to issues like the most recent OpenSSL vulnerability, Heartbleed.

Morale of the Story: Empower yourself through Awareness.

There are a number of things that one should take away from a use-case like this:

  • Software Vulnerability Exploitation
  • Attackers Retaining Control
  • Access Control Circumvention
  • Hold Client’s Traffic Hostage – Ransomware
  • What you see is only 10% of the real problem

The various phases of the attack really look something like this:

Part I – Software Vulnerability -

In this specific scenario, the attacker was able to upload arbitrary PHP by taking advantage of unpatched software vulnerabilities, which would have been addressed through a core update of the Content Management System (CMS).

Part II – Attacker Retaining Control -

The attackers uploaded well known php-based webshells, which have one objective – retain control of the environment and do so in a way that allows the attacker to bypass existing Access Control mechanisms.

Part III – Hold Client’s Traffic Hostage -

The attacker demonstrates their control of the environment (i.e., continually makes changes, pastes output of all the changes to passwords). This is the biggest sign that there is a bigger problem and you require a deeper scan of the environment. Often, if you don’t have a detection service you can resort to crude log analysis. This is actually very similar in principle to what we have discussed in the past around “Ransomware”. Yes, ransomware applies to websites as well.

When I read scenarios like this, the first thing that comes to mind is an iceberg. It’s said that icebergs are dangerous to ships because the tip only makes up 10% of the actual iceberg. Sound familiar?

iceberg

In this scenario the root of the problem is below the surface and the key to making it all stop is figuring out how attackers are getting in.

An example of this sort of attack: there are times when hackers hijack a website by changing all passwords (ftp,cpanel and admin) and then threaten a user with deletion of the website and any backups unless the user pays up. In these cases, your first thought would be that the host could reset the passwords, however, the attacker has already injected their tools into the site code, so they can continue to change the passwords over and over until the problem is fixed (or the user pays up).

Remediating / Mitigating Website Threats

Of course, there are ways to mitigate these problems. Yes, we can point to our services, and we’d recommend you take a look, but that’s a given, so for now here are some of the questions you need to be asking yourself as a webmaster:

  1. Take a proactive approach to auditing your environment – What changes are being made? When? Who?
  2. Do you know what web logs look like? Do you know what your traffic looks like or where to start? (e.g., HINT: Parse for POST requests)
  3. Removing the issues at the surface is only the beginning. Once compromised, assume the attacker has injected backdoors to bypass your access control mechanisms
  4. Are you actively scanning for known and unknown malware payloads? SPAM? Redirections?
  5. Are you staying on top of the latest security issues? Browser vulnerabilities? Software Vulnerabilities?
  6. Malware detection and removal is half the puzzle. What do you have in place to stop an attack so you never have to deal with this problem? (e.g., do your research on Web Application Firewalls)
  7. Do you really want to be the website admin that gets hacked because you didn’t update?

So now, the question to you is:

Which of these are you prepared for and what will you do to address those that you aren’t?

Scan your website for free:
About Rafael Capovilla

Rafael is a Senior Security Analyst at Sucuri, Inc, currently leading the Website Firewall Support team. He loves IT security in general but his real passion is being able to dig into logs to do research, analysis, and correlation of web-based malware and evasion techniques. When not working, he is cooking some ogre-type food. Find him on Twitter @rmcapovilla.

  • Adam H

    Lmao, That has got to be one of the funniest bunch of emails ive seen in a while. Made the post even better :) I hope the owner of the site kept the Adsense Publisher ID and reported it along with those emails.

  • http://www.rivmedia.co.uk/ Adam H

    Lmao, That has got to be one of the funniest bunch of emails ive seen
    in a while. Made the post even better :) I hope the owner of the site
    kept the Adsense Publisher ID and reported it along with those emails.

  • tina

    Lmao, That has got to be one of the funniest bunch of emails ive seen in a while. Made the post even better :) I hope the owner of the site kept the Adsense Publisher ID and reported it along with those emails.

  • http://hackrepair.com/ Jim Walker

    Nice write up and summary Rafael. Thank you.

  • http://alnafiz.com vizsec

    superb funny

  • PY

    Posts about how smart you guys are and how your product detects something affecting people not cutting it anymore? Feel you need to resort to the old, infosuck tactic of scaring people into buying your crap? Because ironically, that’s a lot like the gimp you wrote about.

  • kevin

    poor hacker.. :) was hacking for adsense income :P