Wait... Wut?

2016-09-15 10 min read attacks

With age, there comes a certain level of acceptance of our limitations. Some of those limitations are associated with growing older - i.e. my career as a Chippendales dancer likely won’t be “taking off” anytime soon. Some of those limitations have been with us our entire life: I can readily admit that most of the time, I’m not the brightest bulb in the box.

I can, however, generally wrap my brain around many of the scams and cons that make up the base of what has come to be known as “cyber attacks” (drink!).

What I found today is different. I haven’t got a clue.

Having had a few “run-ins” with some of the fine, upstanding folks who supply pre-written term papers to spoiled post-pubescents with more money than ethics, I was trolling around the dark underbelly of the Internet in search of SEO hacks.

Search Engine Optimization (or SEO) is a term for a bag o’tricks designed to make your website appear higher in search engine listings. Some of these “optimizations” are totally legit (i.e. using “META” tags in the header of your web page to highlight specific keywords from your content) and some are… well… let’s just say that they’re of “questionable legality.”

One of the strongest parameters controlling your site’s placement in search results is the number of other sites that link to you. Sites with lots of inbound links are viewed as being more popular and therefore rank higher in search engine results. The algorithms behind search engine rankings also take into account the popularity of the sites that link to yours… creating a sort of unholy bouillabaisse of circular references. Be that as it may, this “popularity of the sites linking to you” thing is very important because, back in the day, scammy folks used to set up sites containing nothing but links to their other sites… as a means of driving their search engine ranking higher. By limiting an inbound link’s SEO “boost” based on the popularity of the site it comes from, these “link-farm” sites became useless… because a site containing pages of nothing but links to other sites isn’t very popular… unless your name is… well… Google.

So what’s a poor, morally bankrupt purveyor of pre-written research papers to do? How can they find a way to differentiate themselves from all of the other poor, morally bankrupt purveyors of pre-written research papers? They could try to get one hugely popular site to link to them, or they could somehow get links on LOTS of smaller sites…

And so, these bastions of business acumen spend years toiling to provide their clientele with superior products and service. In turn, their clients - bathed in the almost effervescent aura of customer satisfaction - throw caution to the wind and write glowing reviews (complete with links) on their personal blogs, in spite of the fact that they are, essentially, admitting to purchasing their diploma rather than… you know… actually thinking.

Nah… just kidding. They hack a bunch of sites.

In a strangely eerie parallel to their entire business model, these lowlifes take the easy road to search engine ranking by hacking into sites and creating links back to themselves. (Important note: it isn’t just the term paper jockeys doing this stuff… pretty much every questionable ‘net “business” out there - from “cheap cigarettes” to “pharma” to “genuine ’nfl’ jerseys” - is doing SEO boosting hacks…)

“Hold on a dang second…,” I hear you cry. “Isn’t that like a burglar leaving a note with their name and address on it at the scene of the crime?”

That’s EXACTLY what it is like - and yet they still get away with it. Why? Because, apparently, I’m the only person in the world who gives a crap about this stuff… (Important note #2: Sometimes the links just appear. Who knows how. They just do. Or… sometimes the links are placed by competitors. Yeah. That’s it. Competitors. EEeeevil Competitors…)

But I digress…

Today, I happened to notice that a bunch of unrelated sites had PDF files added to them that appeared to be advertising term paper “services.” I was intrigued, so I grabbed a few.

That’s where the puzzle began. You see, I simply don’t understand what’s going on. But, before I go on to describe what I don’t know, let me start with what I do know:

The hacked sites are all running WordPress (“The WebApp Hacker’s BFF"™)
These files are absolutely meant for Google’s consumption. The only way that you can get the file is if the User-Agent on the request matches GoogleBot. (English translation: Every time you request something from a web server, your browser identifies itself so the server can - potentially - deliver content that may be tailored to the type of browser you’re using - ex. a browser on a mobile phone might get different content from a browser for a system with a larger screen, like a desktop computer. The browser does this by passing along something known as a “User-Agent” string peculiar to the type/version of browser you’re using. When Google indexes web pages for their search engine, they use a tool that visits websites - known as a “spider.” This tool, which goes by the name “GoogleBot,” uses a very specific “User-Agent” string that can be easily identified.)
The PDF files appear to be generated with TCPDF, a PHP library that is often used for generating PDF files from web applications. HOWEVER: The files themselves appear to be static. TCPDF actually generates a date/time string when the file is created and edited - these DO NOT change when grabbing a file multiple times. Initially, I thought that TCPDF might have been installed on the site as part of the hack to generate PDFs on the fly, but having grabbed the same file repeatedly and seen no difference, I don’t think it is.

But what doesn’t make sense is this: The PDF files contain NO LINKS. Not one. None. Zilch. Zip. Zero. Nada…

What is the point of an SEO hack without links?

Maybe I’m missing something. I have to be missing something.

I even asked Didier Stevens - who has probably forgotten more about PDF files than I ever knew - to take a look. He confirmed what I was thinking: these files have no links… and therefore no real SEO value.

You can take a look for yourself. I’ve posted one of the files (zipped) here. (Note: While I’ve looked at this thing six ways to Sunday and seen nothing malicious, I make no guarantees that opening it won’t blow up your computer, kill your dog, and turn you sterile… You’ve been warned.)

I don’t get it…

Why go to the trouble of hacking a website just to install these lame PDF files? On top of that, there is evidence that someone has been going around and placing comment spam with links to these files. What’s the point? Remember: These files are only going to be seen by GoogleBot, so that places a huge “fence” around their potential uses.

Anyone have an idea?

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter: @tliston
September 14, 2016

UPDATE (September 15, 2016): Ok, after doing a little more digging, I think I may have a handle on what is going on here. Before I get into describing what I think the point of all of this may be, let me explain some additional details that I’ve found that led me to my conclusion.

The first clue came when I did a little additional searching using Google’s “site” parameter (to lock my search to the site in question) coupled with “filetype:pdf”. (Note: It appears that the PDF files added by the attacker are the only PDF files on this site…) I was somewhat shocked to see that Google had indexed 2,500 “PDF” files added to the hacked site. Yes, you read that right… The content added by the attacker is somewhere around 20 times the number of pages of the site’s original content.

The next clue came when I followed one of the links from the Google search page and ended up triggering this cascade of redirects:

HTTP/1.1 302 Moved Temporarily
 Redirect to: http://lnkgo.net/zHU2hoJ
Date: Thu, 15 Sep 2016 04:04:19 GMT
Server: Apache
Location: http://lnkgo.net/zHU2hoJ
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

GET http://lnkgo.net/zHU2hoJ
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

HTTP/1.1 301 Moved Permanently
 Redirect to: http://www.paperhelp.org/?pid=7783
Date: Wed, 14 Sep 2016 21:28:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.45
Location: http://www.paperhelp.org/?pid=7783
Content-Length: 0
Content-Type: text/html; charset=UTF-8

GET http://www.paperhelp.org/?pid=7783
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=t5chg9l1eu7qilq6qgnbpds8g5; partner_id=7783; un=1; client_start_time=1473888484; client_country=US; client_ip=162.217.121.125

Note: I tried it multiple times with multiple files, always ending up at paperhelp.org…

So, functionally, here’s what seems to be going on:

The attackers gain access to a WordPress site using some flaw du jour affecting WP
The attackers then alter the WP code to perform the following actions:
- When GoogleBot comes calling, it serves up a PDF file containing a “potential term paper topic” as its title. There are LOTS of these “PDFs” on a given hacked site.
- If someone browses to the site, looking for one of those PDF files, and has Google (and - potentially - other search engines) as a Referrer, it redirects to lnkgo.net (which, in turn, redirects to paperhelp.org)
- Anything else… let it fall through to the site itself… in the case of the PDF files - that don’t actually exist at the location they’re being requested from - the site returns a normal HTTP 404 error.
The attacker then goes about using “traditional” comment spam to “seed” the PDF links into Google’s search database.

So… none of this was making sense because I was expecting this to be “standard” SEO hacking - but this isn’t a “standard” SEO hack. I think what’s going on here is something like the “spear phishing” version of SEO hacking.

Essentially, this seems to be an attempt to plaster Google with a metric-crap-tonne of individual PDF files, each containing an “essay-topic-like” title, and enough keywords to potentially get noticed by someone desperately searching for information on that essay topic. Clicking on the search engine link will then fast-forward you to the term-paper-for-sale site.

Now… far be it from me to even begin to question how the fine, upstanding folks at paperhelp.org shadily advertise their already relatively shady business. (I know that they’re probably going to be reading this at some point, so please indulge me while I save them the trouble of denying all of this: “Of course you didn’t have anything to do with these files appearing on these hacked systems. Of course it’s just a miraculous coincidence that clicking on the links in Google’s search results ended up dumping me out at your website. The Internet is filled with miraculous coincidences like that…”) Anyhoo… I’m thinkin’ that this “spear-SEOing” will only work if you have a broad enough list of potential essay topics and if you get enough PDF files out there (and noticed by the search engines…) - and, most importantly, those sites stay hacked. Unfortunately… all of that is going to quickly fall apart as I spend the next few days exercising Google’s search capabilities and notifying site owners.

Sorry, paperhelp.org. Perhaps, like the fine folks at SpeedyPaper, you shoulda’ done a bit more research.

P.S. - Since I’m pointing various government agencies as well as those whose sites have been hacked at this page, I want to state: I’ve got full logs of everything I’ve found, just in case anyone out there would like to (legally) stomp on these bastards.