FEWL.NET

Visiting the Stars & Stripes website this morning, I was surprised to see the following:

Stripes.com hacked; users’ computers may be affected
The Stars and Stripes Web site appears to have been struck by a hacker early Saturday. Indications are that this may have been related to an automated cyber-attack launched last month that compromised more than 10,000 web pages, including everyday destinations such as travel, government and hobby sites. Such attacks typically plant a piece of Javascript code that diverts users to a site in China, where malicious software (”malware”) tries to break into the user’s computer. Security experts have noticed a recent trend in which hackers target individual computers rather than better-protected networks.
The problem on the Stripes site has been resolved. Users who tried to visit the site between midnight and 9 a.m. on Saturday Eastern time, or experienced any difficulties accessing stripes.com in the past couple of days, are encouraged to update and run their anti-virus scan programs.
More information about malware can be found at such sites as http://www.clamwin.com/ and http://www.malwarehelp.org/, or at the sites of such security companies as McAfee and Symantec.

The one line about S&S’s website possibly being involved in a 10,000 strong network of hacked sites is actually referring to a recently discovered trend in popular sites, running the WordPress blogging software, having spam-related links embedded into their web pages. After the affected sites were hacked, which many believe was due to unknowingly using malicious third-party WordPress layouts, hidden links directing people to pharmaceuticals, credit cards, etc., were embedded into multiple pages.

Why have spam links on a page if they’re invisible you ask? Welcome to the world of “Blackhat Search Engine Optimization (SEO)” in which spammers attempt to game search engines, like Google and Yahoo!, that calculate how many reputable sites carry a link to whatever a someone might be searching for and create a “rank.” The higher the rank, the more likely it is to show up when someone searches for something like “viagra” or “credit cards.” The spammers then host shoddy scam sites that recieve the most traffic from these gamed search engines, and then get money for every incoming click or sale. Surprisingly there’s a lot of money to be made in the SEO industry…but you have to sell your soul first.

Back to the issue of Stars & Stripes being hacked. From what I can tell, Stripes’ site isn’t using WordPress. Their Blogs area looks like it’s running Drupal, an open-source Content Management System (CMS). So I wonder if there’s a vulnerability in the version of Drupal they’re running, or in fact they were hacked. Since there site does seem to be a little behind the times, I wouldn’t be surprised if they were compromised using the ever prevalent and easy to execute SQL-injection. It just so happens SQL-injection is a favorite attack method of many Chinese hackers. In fact, they’re famous for making what is probably the most ingenious and dangerous SQL attack automation software out there. The warning on the S&S page said users were being redirected to Chinese servers. While it’s entirely possible a hacked machine in China was just being used as a go-between, I wouldn’t be surprised if China was actually behind the attack. They enjoy hitting sites popular with US military, and what’s better than good ‘ol Stars & Stripes?

Reading through some of the blogs investigating the previously mentioned network of hacked blogs, some believe the attackers to actually be Filipino as some of the discovered attack code had Tagalog throughout. I still think it’s China.

Just another reason I use website’s RSS feed over always visiting them.

Update: For those running blogs/websites who want to check if they’ve been part of this major hack, you can get a list of all the links found on a page, hidden or not, using the Firefox (which you should already be using).

Go to Tools > Page Info > click on the “Links” tab.