Your Fly Is Open

Netmenaces and other Internet Stupidity

A Miracle in University Park

We had our carpets cleaned yesterday. If anything is to blame, it’s probably that.

Our house is now a mildly humid wasteland of locations I’m currently not allowed to walk, so instead of sitting up in my nicely appointed office, I’ve been banished to the basement (the only place in the house - besides the four-year-old’s room - that didn’t get cleaned and isn’t all… well… moist.)

So I’m sitting in the basement watching a dumbass mouse, that somehow ended up in our window-well, beat his tiny little brains out jumping against the window rather than climbing up the stick I leaned down in there earlier today as an escape path for him.

It’s all left me in what can best be described as a mood.

CLIMB THE FRICKIN' STICK YOU IDIOT!

Anyhoo… Either because of the swampy carpets or Jumpy the Wonder Mouse™, I’m in a mood, and what better way to expend some pent-up moodiness than to screw with Internet Denizens of Questionable Morals (IDQMs for short).

NOTE: To the right, you’ll find a lovely collage of action shots of “Jumpy”. You’re welcome.

Having had more than a bit of fun earlier in the summer with one of my favorite IDQMs, SpeedyPaper, I decided to see if I could make their life a little more interesting.

[A recap: Earlier this summer, I found that someone had hacked several websites - The U.S. Capitol’s Virtual Tour, The Navy League (a charitable organization that supports the US Navy and Coast Guard), and the Holiest of Holies: the website of Skyline Chili. In each instance, the hackers had left behind “SEO” links that round-robin redirected anyone following them to several purveyors of “term paper assistance.” I notified the affected site owners and also called out SpeedyPaper (a “beneficiary” of these links), via their Twitter account, to ‘splain just exactly how links leading to their website had “appeared” on these hacked sites. You can read the details of those sagas here and here.]

Today, I decided to do a Google search for “site:.org speedy paper term”. This locks my search to the “.org” top level domain (TLD) and finds pages that contain the words “speedy,” “paper,” and “term.”

Hey… lookie there!

Aaaaand… another site joins the “research paper SEO” hit parade. This time, it’s the site for the Town of University Park, Maryland.

Clicking on that link created the following cascade of internet linkage:

A Cascade of Internet Linkage...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
GET http://www.upmd.org/index.php/lead-research-paper/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=646b4155b76b9632d52a3d64becb076b

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Date: Thu, 08 Sep 2016 16:32:49 GMT
Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch11
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dee0a566f25b25cba8a72327465573e201473350225; spv=eyJpdiI6IlJ3T3RJeFNqMHlmSnZEXC9kZ0R3bXlBPT0iLCJ2YWx1ZSI6IkNUbTM1SW1qUmdnaFQrQUxTZFgwK0E9PSIsIm1hYyI6ImQ5YWM3NjAyMjU2NTQ3NWMyYTQwODI2MDZlYzE5OTE2NDAzNWY2MzUxZDI1ODNlNjEyNDU0MmJmOTYwMzE5NTYifQ%3D%3D; spu=eyJpdiI6InE5S001V0F4NnR1VFF5OEQ5eE5KQ3c9PSIsInZhbHVlIjoiMlFpaWQzY3BnY0VMNTdQUWY5TlwveXc9PSIsIm1hYyI6IjJkNmU0ZjM3ZTQ1ZWQyY2I3ODRhZDExZWJlYzA4OGM1YjgwM2EwMDQ0ZTRlYzA1MzU1MTRjMjRjYWIzNTM2MTkifQ%3D%3D; spvis=eyJpdiI6IkRFcWdzQlRtdmJPdHEzSmVkRUwzN0E9PSIsInZhbHVlIjoiemYyb090MGlucFFlZjZ4VkxyZTJ1QT09IiwibWFjIjoiMDk4ZDljMzYwM2E0NzdjZGM2ZTJhYTFmNjdkNGQwODA4OTM2MDAyMjJiZmU3NTdiMTI0MDkzMmVhNTc0M2FmMiJ9; laravel_session_speedypaper=eyJpdiI6IlV2WUJYVDFhUXVqdERwZUppT1dXS0E9PSIsInZhbHVlIjoiVWlYVmhwK0Uxa2ZiV1ZpSjRmbGFBM2pjU09id2ZCeVRGR040T2Y3K1BNYTBaVjVIelJ4eHIrRXBCc1ZYNFBQQ1VUUjczK0NMZGZrcGVmbDJWdlVaUFE9PSIsIm1hYyI6ImFhMjQ1ZTFkMWJmMWI1ZDg0ZWFlNmM0MGI0N2JlY2RlZDM1ZDYyZDg5OTMwZDVjZWU4YjRhMjNkYzlhNDhkN2QifQ%3D%3D

HTTP/1.1 302
 Redirect to: https://speedypaper.com/
status: 302
date: Thu, 08 Sep 2016 16:32:49 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: https://speedypaper.com
set-cookie: laravel_session_speedypaper=eyJpdiI6IjJWUVcybEZzd3lxN1dHXC9JNXIzckh3PT0iLCJ2YWx1ZSI6IlZ2dGVwN2VXM2RyYU1ob1pTN3JTenJkK3dCYkFZYnY1OUU0bVdpTEluS2VHUjBlWlZYTngyd1wvUHR2OG1Fanl4TjdrM25LXC9LUFIyS0hEZU1qVG5XdUE9PSIsIm1hYyI6IjhkOTViYmFiNjcyMjIxODkxZDU1ZGY1OGUyZmE0MzkyOTY1NjQwNzFlMDkxOTQxMWNlODk5YTgwYTQwZGI3OWYifQ%3D%3D; expires=Thu, 08-Sep-2016 18:32:49 GMT; Max-Age=7200; path=/; httponly
set-cookie: spv=eyJpdiI6IjVLZGVlSFU0bTFvdDNPMXJcL0gxUUJnPT0iLCJ2YWx1ZSI6IllFZTI0Z0FuS3h0djZwc1ZNZ3BJWEE9PSIsIm1hYyI6IjRlNzE0ODQ3NmY2NTA3ZDhjZGU5ZDUyYmVhNjgzZWNhYTNjMDc1NjlhNmM0NGMwZDQ4YTUyYjgxMGVlMGU4OTUifQ%3D%3D; expires=Wed, 07-Dec-2016 16:32:49 GMT; Max-Age=7776000; path=/; httponly
set-cookie: spvis=eyJpdiI6ImQ0bkJvb0hHcWVpeGFzdjN4V1JLeFE9PSIsInZhbHVlIjoid3lRY3lHbndTTFFGbjhWWlQwRnY3dz09IiwibWFjIjoiNWJkM2E1MjUwYjcyODY0MjY1YjcyYTJjNmYxNjJkOTczY2RmOTY4MTI2YzZiMDU1NjAyZWQxZGU0YTM0OTA1NCJ9; expires=Wed, 07-Dec-2016 16:32:49 GMT; Max-Age=7776000; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2df3cc76e7612597-ORD

GET https://speedypaper.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dee0a566f25b25cba8a72327465573e201473350225; spu=eyJpdiI6InE5S001V0F4NnR1VFF5OEQ5eE5KQ3c9PSIsInZhbHVlIjoiMlFpaWQzY3BnY0VMNTdQUWY5TlwveXc9PSIsIm1hYyI6IjJkNmU0ZjM3ZTQ1ZWQyY2I3ODRhZDExZWJlYzA4OGM1YjgwM2EwMDQ0ZTRlYzA1MzU1MTRjMjRjYWIzNTM2MTkifQ%3D%3D; laravel_session_speedypaper=eyJpdiI6IjJWUVcybEZzd3lxN1dHXC9JNXIzckh3PT0iLCJ2YWx1ZSI6IlZ2dGVwN2VXM2RyYU1ob1pTN3JTenJkK3dCYkFZYnY1OUU0bVdpTEluS2VHUjBlWlZYTngyd1wvUHR2OG1Fanl4TjdrM25LXC9LUFIyS0hEZU1qVG5XdUE9PSIsIm1hYyI6IjhkOTViYmFiNjcyMjIxODkxZDU1ZGY1OGUyZmE0MzkyOTY1NjQwNzFlMDkxOTQxMWNlODk5YTgwYTQwZGI3OWYifQ%3D%3D; spv=eyJpdiI6IjVLZGVlSFU0bTFvdDNPMXJcL0gxUUJnPT0iLCJ2YWx1ZSI6IllFZTI0Z0FuS3h0djZwc1ZNZ3BJWEE9PSIsIm1hYyI6IjRlNzE0ODQ3NmY2NTA3ZDhjZGU5ZDUyYmVhNjgzZWNhYTNjMDc1NjlhNmM0NGMwZDQ4YTUyYjgxMGVlMGU4OTUifQ%3D%3D; spvis=eyJpdiI6ImQ0bkJvb0hHcWVpeGFzdjN4V1JLeFE9PSIsInZhbHVlIjoid3lRY3lHbndTTFFGbjhWWlQwRnY3dz09IiwibWFjIjoiNWJkM2E1MjUwYjcyODY0MjY1YjcyYTJjNmYxNjJkOTczY2RmOTY4MTI2YzZiMDU1NjAyZWQxZGU0YTM0OTA1NCJ9

Now, the last time I called out SpeedyPaper about the “happenstance” of hacked links leading to their site, they boldly proclaimed their theory that these links were created by their EEEeevil Competitors (Note: Likely the self-same EEEeevil Competitors that they appeared to attempt to frame by clumsily redirecting their redirect to… if that makes any sense.)

So, let’s look at this whole redirect thing a little closer:

My initial request went to the upmd.org (University Park, MD) domain:

Initial Request
1
GET http://www.upmd.org/index.php/lead-research-paper/

The upmd.org site responded to that request with a redirect:

Redirect from UPMD
1
2
HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=upmd.org&utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F&utm_keyword=lead+research+paper

There’s some awfully specific stuff in those parameters:

  • rt=3S5do2ix
  • utm_search_engine=google
  • utm_host=upmd.org
  • utm_referrer=http%3A%2F%2Fupmd.org%2Findex.php%2Flead-research-paper%2F
  • utm_keyword=paper

First off, what’s with this “utm” stuff?

Well, to answer that question, we need to time-travel back to the late 90’s. UTM originally stood for “Urchin Traffic Monitor,” which was part of a software suite called “Urchin WebAnalytics Software” that was released way back in 1998. Google purchased Urchin and its technology in 2005 and continued to sell the software for almost seven years until the decision was made to discontinue it in 2012. Although the original UTM software has gone the way of the dodo bird, Google still continues to use the “utm” convention for its own analytics software.

But this ain’t Google’s doin'… Somebody seems to be - GASP! - plagiarizing Google’s work. If only we could figure out who in this sordid mess knows anything about plagiarizing…

The “outlier” here is that “rt” parameter… Perhaps (and I’m speculating here…) whoever “did the deed” and placed these hacked links ‘round the 'Net is convinced - through no fault of the fine, upstanding folks at SpeedyPaper - that they’ll be somehow “paid” based off of some sort of “referal token.” Nah… that couldn’t possibly be the case.

So……. at this point, something on the SpeedyPaper site receives that inbound URL, doesn’t seem to be the least bit befuddled by the string of goofy parameters (hmmmm…), and immediately redirects back to SpeedyPaper’s main page. How convenient!

It seems especially convenient when SpeedyPaper has, in the past, made it perfectly clear that this is the work of EEEeevil Competitors. Obviously, EEEeevil Competitors often hack websites and install links to your site, complete with analytics parameters, because that’s how EEEeevil Competitors work.

It’s so convenient it’s essentially a frickin' miracle.

Screw this crap… I’m gonna go watch my mouse jump. (Yes, that sounds like a euphemism. No, it isn’t.)

-TL
Tom Liston
Consultant - Cyber Network Defense
DarkMatter, LLC
Twitter: @tliston
September 8, 2016