Your Fly Is Open

Netmenaces and other Internet Stupidity

Wait... Wut?

With age, there comes a certain level of acceptance of our limitations. Some of those limitations are associated with growing older - i.e. my career as a Chippendales dancer likely won’t be “taking off” anytime soon. Some of those limitations have been with us our entire life: I can readily admit that most of the time, I’m not the brightest bulb in the box.

I can, however, generally wrap my brain around many of the scams and cons that make up the base of what has come to be known as “cyber attacks” (drink!).

What I found today is different. I haven’t got a clue.

Having had a few “run-ins” with some of the fine, upstanding folks who supply pre-written term papers to spoiled post-pubescents with more money than ethics, I was trolling around the dark underbelly of the Internet in search of SEO hacks.

Search Engine Optimization (or SEO) is a term for a bag o'tricks designed to make your website appear higher in search engine listings. Some of these “optimizations” are totally legit (i.e. using “META” tags in the header of your web page to highlight specific keywords from your content) and some are… well… let’s just say that they’re of “questionable legality.”

One of the strongest parameters controlling your site’s placement in search results is the number of other sites that link to you. Sites with lots of inbound links are viewed as being more popular and therefore rank higher in search engine results. The algorithms behind search engine rankings also take into account the popularity of the sites that link to yours… creating a sort of unholy bouillabaisse of circular references. Be that as it may, this “popularity of the sites linking to you” thing is very important because, back in the day, scammy folks used to set up sites containing nothing but links to their other sites… as a means of driving their search engine ranking higher. By limiting an inbound link’s SEO “boost” based on the popularity of the site it comes from, these “link-farm” sites became useless… because a site containing pages of nothing but links to other sites isn’t very popular… unless your name is… well… Google.

So what’s a poor, morally bankrupt purveyor of pre-written research papers to do? How can they find a way to differentiate themselves from all of the other poor, morally bankrupt purveyors of pre-written research papers? They could try to get one hugely popular site to link to them, or they could somehow get links on LOTS of smaller sites…

And so, these bastions of business acumen spend years toiling to provide their clientele with superior products and service. In turn, their clients - bathed in the almost effervescent aura of customer satisfaction - throw caution to the wind and write glowing reviews (complete with links) on their personal blogs, in spite of the fact that they are, essentially, admitting to purchasing their diploma rather than… you know… actually thinking.

Nah… just kidding. They hack a bunch of sites.

In a strangely eerie parallel to their entire business model, these lowlifes take the easy road to search engine ranking by hacking into sites and creating links back to themselves. (Important note: it isn’t just the term paper jockeys doing this stuff… pretty much every questionable ‘net “business” out there - from “cheap cigarettes” to “pharma” to “genuine 'nfl’ jerseys” - is doing SEO boosting hacks…)

“Hold on a dang second…,” I hear you cry. “Isn’t that like a burglar leaving a note with their name and address on it at the scene of the crime?”

That’s EXACTLY what it is like - and yet they still get away with it. Why? Because, apparently, I’m the only person in the world who gives a crap about this stuff… (Important note #2: Sometimes the links just appear. Who knows how. They just do. Or… sometimes the links are placed by competitors. Yeah. That’s it. Competitors. EEeeevil Competitors…)

But I digress…

Today, I happened to notice that a bunch of unrelated sites had PDF files added to them that appeared to be advertising term paper “services.” I was intrigued, so I grabbed a few.

That’s where the puzzle began. You see, I simply don’t understand what’s going on. But, before I go on to describe what I don’t know, let me start with what I do know:

  1. The hacked sites are all running WordPress ("The WebApp Hacker's BFF"™)
  2. These files are absolutely meant for Google's consumption. The only way that you can get the file is if the User-Agent on the request matches GoogleBot. (English translation: Every time you request something from a web server, your browser identifies itself so the server can - potentially - deliver content that may be tailored to the type of browser you're using - ex. a browser on a mobile phone might get different content from a browser for a system with a larger screen, like a desktop computer. The browser does this by passing along something known as a "User-Agent" string peculiar to the type/version of browser you're using. When Google indexes web pages for their search engine, they use a tool that visits websites - known as a "spider." This tool, which goes by the name "GoogleBot," uses a very specific "User-Agent" string that can be easily identified.)
  3. The PDF files appear to be generated with TCPDF, a PHP library that is often used for generating PDF files from web applications. HOWEVER: The files themselves appear to be static. TCPDF actually generates a date/time string when the file is created and edited - these DO NOT change when grabbing a file multiple times. Initially, I thought that TCPDF might have been installed on the site as part of the hack to generate PDFs on the fly, but having grabbed the same file repeatedly and seen no difference, I don't think it is.

But what doesn’t make sense is this: The PDF files contain NO LINKS. Not one. None. Zilch. Zip. Zero. Nada…

What is the point of an SEO hack without links?

Maybe I’m missing something. I have to be missing something.

I even asked Didier Stevens - who has probably forgotten more about PDF files than I ever knew - to take a look. He confirmed what I was thinking: these files have no links… and therefore no real SEO value.

You can take a look for yourself. I’ve posted one of the files (zipped) here. (Note: While I’ve looked at this thing six ways to Sunday and seen nothing malicious, I make no guarantees that opening it won’t blow up your computer, kill your dog, and turn you sterile… You’ve been warned.)

I don’t get it…

Why go to the trouble of hacking a website just to install these lame PDF files? On top of that, there is evidence that someone has been going around and placing comment spam with links to these files. What’s the point? Remember: These files are only going to be seen by GoogleBot, so that places a huge “fence” around their potential uses.

Anyone have an idea?

UPDATE (September 15, 2016): Ok, after doing a little more digging, I think I may have a handle on what is going on here. Before I get into describing what I think the point of all of this may be, let me explain some additional details that I’ve found that led me to my conclusion.

The first clue came when I did a little additional searching using Google’s “site” parameter (to lock my search to the site in question) coupled with “filetype:pdf”. (Note: It appears that the PDF files added by the attacker are the only PDF files on this site…) I was somewhat shocked to see that Google had indexed 2,500 “PDF” files added to the hacked site. Yes, you read that right… The content added by the attacker is somewhere around 20 times the number of pages of the site’s original content.

The next clue came when I followed one of the links from the Google search page and ended up triggering this cascade of redirects:

A cascade of redirects
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
HTTP/1.1 302 Moved Temporarily
 Redirect to: http://lnkgo.net/zHU2hoJ
Date: Thu, 15 Sep 2016 04:04:19 GMT
Server: Apache
Location: http://lnkgo.net/zHU2hoJ
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

GET http://lnkgo.net/zHU2hoJ
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

HTTP/1.1 301 Moved Permanently
 Redirect to: http://www.paperhelp.org/?pid=7783
Date: Wed, 14 Sep 2016 21:28:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://www.paperhelp.org/?pid=7783
Content-Length: 0
Content-Type: text/html; charset=UTF-8

GET http://www.paperhelp.org/?pid=7783
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=t5chg9l1eu7qilq6qgnbpds8g5; partner_id=7783; un=1; client_start_time=1473888484; client_country=US; client_ip=162.217.121.125

Note: I tried it multiple times with multiple files, always ending up at paperhelp.org…

So, functionally, here’s what seems to be going on:

  1. The attackers gain access to a WordPress site using some flaw du jour affecting WP
  2. The attackers then alter the WP code to perform the following actions:
    1. When GoogleBot comes calling, it serves up a PDF file containing a "potential term paper topic" as its title. There are LOTS of these "PDFs" on a given hacked site.
    2. If someone browses to the site, looking for one of those PDF files, and has Google (and - potentially - other search engines) as a Referrer, it redirects to lnkgo.net (which, in turn, redirects to paperhelp.org)
    3. Anything else... let it fall through to the site itself... in the case of the PDF files - that don't actually exist at the location they're being requested from - the site returns a normal HTTP 404 error.
  3. The attacker then goes about using "traditional" comment spam to "seed" the PDF links into Google's search database.

So… none of this was making sense because I was expecting this to be “standard” SEO hacking - but this isn’t a “standard” SEO hack. I think what’s going on here is something like the “spear phishing” version of SEO hacking.

Essentially, this seems to be an attempt to plaster Google with a metric-crap-tonne of individual PDF files, each containing an “essay-topic-like” title, and enough keywords to potentially get noticed by someone desperately searching for information on that essay topic. Clicking on the search engine link will then fast-forward you to the term-paper-for-sale site.

Now… far be it from me to even begin to question how the fine, upstanding folks at paperhelp.org shadily advertise their already relatively shady business. (I know that they’re probably going to be reading this at some point, so please indulge me while I save them the trouble of denying all of this: “Of course you didn’t have anything to do with these files appearing on these hacked systems. Of course it’s just a miraculous coincidence that clicking on the links in Google’s search results ended up dumping me out at your website. The Internet is filled with miraculous coincidences like that…”) Anyhoo… I’m thinkin' that this “spear-SEOing” will only work if you have a broad enough list of potential essay topics and if you get enough PDF files out there (and noticed by the search engines…) - and, most importantly, those sites stay hacked. Unfortunately… all of that is going to quickly fall apart as I spend the next few days exercising Google’s search capabilities and notifying site owners.

Sorry, paperhelp.org. Perhaps, like the fine folks at SpeedyPaper, you shoulda' done a bit more research.

P.S. - Since I’m pointing various government agencies as well as those whose sites have been hacked at this page, I want to state: I’ve got full logs of everything I’ve found, just in case anyone out there would like to (legally) stomp on these bastards.

-TL
Tom Liston
Consultant - Cyber Network Defense
DarkMatter, LLC
Twitter: @tliston
September 14, 2016

A Miracle in University Park

We had our carpets cleaned yesterday. If anything is to blame, it’s probably that.

Our house is now a mildly humid wasteland of locations I’m currently not allowed to walk, so instead of sitting up in my nicely appointed office, I’ve been banished to the basement (the only place in the house - besides the four-year-old’s room - that didn’t get cleaned and isn’t all… well… moist.)

So I’m sitting in the basement watching a dumbass mouse, that somehow ended up in our window-well, beat his tiny little brains out jumping against the window rather than climbing up the stick I leaned down in there earlier today as an escape path for him.

It’s all left me in what can best be described as a mood.

Fugget About It

I want to try to convey my utter contempt for the whole “we have an abuse@ address - monitor our network for us” mentality that seems to have become de rigueur for all hosting providers. Is this an attitude that we would tolerate in other businesses? Here’s my fictional take:

Squeal: A Story of True Love, Perseverance, and Pigs

This is a story two and a half years in the making. Even though I’m putting it here, it really doesn’t have much (or anything) to do with security - it’s more of a story about living life. Maybe that’s the point. Hopefully you’ll enjoy the ride.

Extraordinary Claims : Ordinary Evidence

The phrase is attributed to Marcello Truzzi, founding co-chairman of the Committee for the Scientific Investigation of Claims of the Paranormal (CSICOP):

"An extraordinary claim requires extraordinary proof."


Truzzi’s quote, from his work, On the Extraordinary: An Attempt at Clarification, Zetetic Scholar, Vol. 1, No. 1, p. 11, (1978) echos ideas developed much earlier by various metaphysical philosophers. In his 1832 paper Théorie Analytique des Probabilités, Laplace wrote: “The weight of evidence for an extraordinary claim must be proportioned to its strangeness.” In his An Enquiry Concerning Human Understanding (1784), David Hume wrote: “A wise man … proportions his belief to the evidence,” and “No testimony is sufficient to establish a miracle, unless the testimony be of such a kind, that its falsehood would be more miraculous than the fact which it endeavors to establish.”

But it’s 2016. All that old sk00l thinking is… well… antiquated. In an era where 24-hour news isn’t so much about “facts” as it is about “engagement,” the world of Laplace, Hume and Truzzi is nothing but an irrelevant memory of a more naïve time.

Why Lie?

People lie to me.

A lot.

The thing is, I’m not entirely sure why.

The scenario goes something like this:

Someone’s computer gets 0wned. It really doesn’t matter how, and in most cases, I actually don’t know how. It just gets 0wned.

The bad guys doin' the 0wnin' install some malicious software that uses the 0wned machine (and the 0wned machine’s bandwidth) to start scanning the ‘Net for other 0wnable machines. Eventually, the malicious scanning software finds my honeypot.

The whole point of a honeypot is that it looks incredibly 0wnable. Specifically, my honeypot system looks to be vulnerable to dozens of different kinds of attacks. When the malicious scanning software finds my honeypot, its little digital salivary glands shift into overdrive.

And thus, the dance begins…

Pwned Me a N00b

The following is a Medieval tale of treachery gone awry. Its origins date back to my time working at InGuardians: we had a client who had an employee who was convinced that his boss was wasting money hiring a professional security consulting firm. He was pretty sure that he knew waaay more than those “InGuardians dudes” and, to prove his point, he planned a little stunt. He decided that when we started doing our testing, he would try “hacking back” just to see if we were being careful - if he found anything “fun,” he would use it to make us look foolish to his boss.

I was the one doing the testing… and I’m always careful.

Imagine his surprise when he found out how incredibly easy InGuardians was to hack…

Ambulance Chasing

There are a lot of unwritten rules in the security industry and, unfortunately, there’s a whole crop of new companies coming up that just don’t seem to understand them. So, as a public service, I’m going to explicitly explain one of them here… i.e. an “unwritten rule” is about to become “written”:

Thou shalt not chaseth ambulances.

Po-tay-to... Po-tah-to...

I returned from vacation to find two very different things:

  • The refrigerator/freezer in our barn died while we were away, and instead of cooling, it decided to raise the food it stored to something slightly higher than room temperature
    • This situation created what can only be described as an "incredibly unique" smell
    • I also learned that a frozen turkey, enclosed in that sort of nifty shrink-wrap covering, "out-gases" enough after a few days at room temperature to resemble, ironically, a Macy's Thanksgiving Day Balloon.
  • An odd package in the mailbox
    • It was unexpected, lumpy, and from somewhere I didn't recognize
    • Did I mention it was lumpy?