We were cleaning up a compromised site today (with the unfamous pharma hack), when we saw multiple spam links in the hacked site pointing to ucalgary.ca (big Canadian university). What was interesting is that it was not pointing to a small department sub-domain, but to their main site.
It means attackers were using domains at the University of Calgary to help increase their PR (page rank) and to sell pharmacy related products online.
These were some of the links in their main site that were being used (still live):
http://www.ucalgary.ca/uci/node/19228
http://www.ucalgary.ca/uci/node/491
http://www.ucalgary.ca/uci/node/426
.. hundreds more..
As we dug deeper, we saw more and more links with spam in their main site and on sub-domains:
http://ess.ucalgary.ca (engineering society)
http://www.arctic.ucalgary.ca/
http://fp.ucalgary.ca/
http://webapps2.ucalgary.ca
So what is going on? It seems that those sub-domains are in fact hacked and being used to distribute spam. Their main site, however, looks ok, but it has an open wiki (not moderated) that is allows anyone to post any content (including SPAM in there). So guess who is using that to their advantage? Exactly 🙂
If you do a quick search on Google for ‘viagra site:ucalgary.ca’, you will find more than 2 thousand pages infected. 
Scanning those sites with our malware + spam monitor, we were able to identify more and more pages with spam.. If you know anyone at UC IT department, let them know about it so they can fix it.
Infected with malware? Spam? Blacklisted? We can clean it up for you: http://sucuri.net
Rianna MacLeod
Denis Sinegubko
Luke Leal
Art Martori
Justin Channell
Krasimir Konov
5 comments
Our website was not hacked. When the forum was enabled by a Site Admin they allowed anonymous users to both create and edit their own forum topics (without spam protection.) We will be fixing this.
Geeze –
Comment spam?
I’d have thought that a ‘security researcher’ would have taken the time to notify someone at ucalgary.ca & get the facts straight before turning this into a blog post.
I know that’s difficult, (using whois and all), but heck – you guys are smart, right?
I guess you didn’t read the article? 🙂 We said that the main site had an open wiki, but the others were indeed hacked.
http://www.ucalgary.ca/it/contact-us
I’ll suggest that contacting them first & offering your assistance (for a fee) would be a better path to follow. It certainly would less likely to annoy a potential customer.
Comments are closed.