The 2007 cash cow – compromised web sites

By now, most users are broadly familiar with the concept of compromised machines; machines that have been pwned, under some form of remote command. The familiarity even extends to appreciating some of the uses to which compromised machines can be put. Perhaps the publicity that families such as Dorf (aka Storm) have generated helps people to understand the dangers of having a machine compromised.

I am in no way convinced the same is true for peoples’ understanding of compromised web sites. Despite significant press attention throughout 2007, and numerous articles and technical papers published by security vendors, I am still left with the feeling that site owners/administrators/developers do not truly grasp the consequences of a compromised web server.

Where sites used to be compromised to display the hacker’s tag, they are now compromised in a more sinister, functional way. The use of compromised sites by hackers has grown apace over the past 12-18 months. Most of the sites involved are compromised to link to other remote servers. This creates a ‘malware delivery mechanism’, something of a cascade effect involving many sites in some cases. Of course, the victim is unaware of this – when they browse the compromised page the chain of requests to other malicious content happens silently and in the blink of an eye (something commonly referred to as a drive-by download).

The use of compromised sites extends beyond malware however. It is important to remember that once compromised, the site can be used to host whatever content the hacker wants. The situation is highly dynamic as well – by directing compromised sites to other sites they own, hackers are able to control the flow of web traffic to a final destination of their choice.

To help illustrate these points, I thought I would give a couple of examples I have seen this week.

Firstly, a phishing attack. We frequently see phishing attacks where the phish site (spoofed version of the site of the targeted institution) is hosted on a compromised site. Earlier on today, amongst the phishing attacks we identified, I noticed two (targeting the National Bank of Kuwait, and the Abbey National).

[Abbey phish]

The second example highlights the multiple uses a compromised site is often put to. A couple of days ago, we identified a routine meds campaign where the spam message contained a link to a page on various sites.

[Meds campaign spam]

The page in question simply redirected to another site displaying the usual shop window for little blue pills and the like. However, closer inspection of the site used in the spam message showed that many of them were compromised sites – the spam message simply pointed to a redirect page that had been uploaded there. Of these compromised sites, several where not new to SophosLabs – we had seen them being used in various other web attacks. One such attack is illustrated in the flowchart below. The green arrows coming in from the top represent the links from these compromised sites.


The web page highlighted in yellow in this diagram is one under the hackers direct control, enabling them to direct the flow of traffic. Such control is of value – other hackers may pay money for the traffic to be directed towards their attacks, in order to infect victims with their malware.

In short, compromised web sites provide a mechanism for hackers to direct a huge amount of traffic into ‘paths’ or ‘flows’ of their choice. They also provide a convenient repository to store malicious or illegal content. We have seen a sharp growth in malicious web activity in 2007. The relatively ‘soft’ nature of the target (poorly secured sites, servers, vulnerable applications etc) makes it very enticing for the bad guys. Let’s hope that 2008 will be the year in which the many facets of web security are taken more seriously.