There is a classic magic trick known as The Chinese Linking Rings where apparently solid metal rings appear to link together, unlink, and are made into chains and various fancy patterns. Everyone knows that all the rings aren’t solid, but the fun is in how the magician dupes us into not seeing the “gimmicked” ring.
This is a story of a different kind of linking ring, but just like the magic trick, the fun part is all about how we’re duped into not seeing something that is clearly there.
It all started when I noticed that a “comment” page in the web app portion of one of my honeypots was getting pummeled by a group of about 20 different IP addresses from the 188.8.131.52/24 netblock, located in the city of St. Petersburg, Russia.
Over the course of about 8 hours, the Russians had posted about 14,500 “comments” to the site (or at least believed they had…) each one containing some randomly chosen text of a story from the New York Daily News' website coupled with a link to a page on various hacked websites selling term papers on various topics.
‘Cause really, if you’re going to be skeevy enough to buy a term paper, you just know you’re going to want to buy one from crazy Russians who use hacked websites and comment spam to boost their search engine presence…
Russians: When they’re not riding bearback (shirtless), or on Dancing With the Stars (shirtless), they’re writing and selling term papers (probably shirtless), hacking websites (unquestionably shirtless) and SEO boosting (wearing a shirt, because doing that while shirtless would just be silly…).
Known for their warm, happy-go-lucky nature, these Russian hacking rings also seem to have a bit of a penchant for magic. When I followed one of the links they kindly provided me amidst the newsworthy comments on my web app honeypot, I was surprised to see that it led to what appeared to be an HTTP 404 Error (File Not Found) page:
Why would those goofy Russians go to all the trouble to put up 14,000+ links pointing to pages that didn’t exist? I can only imagine the conversation must’ve gone something like this:
Scene: Interior, basement. Two Russian hackers, Ivan and Dmitri, sit facing each other over a wobbly wooden table - shirtless - drinking vodka.
Ivan: “I don’t know… what do YOU want to do today?"
Dmitri: “I don’t know… what do YOU want to do?"
Ivan: “It’s cold in here."
Dmitri: “Put on a shirt."
Ivan: “No, YOU put on a shirt."
Dmitri: “Hey,… I have an idea! Let’s post a whole bunch of comments on the Internet with links that point to non-working pages."
Ivan: “Will that make it warmer in here?"
On second thought, that seems a little unlikely…
So, what the heck was going on? I did a little experiment and changed the User-Agent on my browser’s request for one of the “hacked” page to mimic “GoogleBot.”
(For those of you that just went “Huh?…": The “User-Agent” is a string of text that is sent by your web browser with every request that it makes to a web server. The “User-Agent” tells the web server what kind of web browser you’re using. That way, if the web page has some kind of special “stuff” that requires it to deliver different types of content for a specific kind of browser - like, for example, the browser on your mobile phone - then it knows to do it. I changed the User-Agent my browser was delivering to mimic the User-Agent that Google’s page crawler, GoogleBot, uses when it indexes web pages for including in Google Search.)
Suddenly, just like with those pesky Chinese rings… something magical happened:
We just discovered the magician’s “gimmick.” These pages have been cleverly designed so that they show us mere mortals an error page, but the moment Google’s page-spidering “GoogleBot” drops by, they strip off their shirts and make the Motherland proud by contributing to the downfall of the Capitalist educational system one crappy plagiarized term paper at a time.
Owner, Principal Consultant
Bad Wolf Security, LLC
Senior Technical Engineer
May 15, 2016