Net Watchdog: Hacked Site Causes Headaches

What do a former Playboy pinup, a small Michigan toy company, and a mild-mannered real estate agent have in common?

On the surface, not much. But they each run a Web site that has been hacked and may have been used to distribute adware, spyware, malware, keyloggers, and rootkits to their visitors.

Internet gumshoe Harry Sverdlove, a senior research scientist with McAfee SiteAdvisor, has found at least 127 more sites that have fallen victim to identical hack jobs. All 130 of those sites point back to one site that distributes malware to all of them.

Each of the sites, he says, has been hacked by someone with the same modus operandi. The hacker has secretly inserted what is called an "iframe vulnerability" in the site's HTML code, without the site owner's knowledge. When you visit one of the hacked sites, a third party can try to install software onto your PC.

Right now the hackers behind the iframe vulnerability are not distributing malicious code through any of the hacked sites. But at any time, they could flip the switch and start pumping out malware.

Victims Vent

Tony Estrada serves as Webmaster for the former Playboy pinup and Hollywood actress Shannon Malone.

"Let me assure you Shannon Malone is a nice girl who is not involved in any hacking or espionage," he says. Estrada believes the trouble with Malone's site may have originated with the company that hosts it, iPowerWeb. He thinks iPowerWeb itself may have been hacked.

Realtor Mike Walter also hosts his Web site with iPowerWeb and says he is baffled by how his site was hacked.

I randomly inspected 30 of the hacked sites in the list of 130, and everyone one of them was hosted by iPowerWeb hosting services.

iPowerWeb, which says it manages 500,000 accounts, said in a statement: "Service providers are constantly under attack. We are always monitoring for new exploits and patching our servers where applicable. There could be 100 different reasons this is happening that don't have to do with us--from weak customer passwords to vulnerable customer scripts."

Estrada says iPowerWeb told him that it was aware of the problem and advised him to better safeguard access to the back-end, administrative side of his Web site with a stronger password. Estrada says the company told him that a hacker had likely used what is called a "dictionary attack" program to figure out passwords for gaining administrative access to his site. A dictionary attack tests words from the dictionary as possible passwords until it finds one that works.

It used to be that if you stayed away from the unsavory portions of the Web you could avoid getting hit with a drive-by download--where an attacker downloads malicious content to your PC without requiring any action from you. Today the Web bad guys have managed to penetrate nice Web neighborhoods. And some of the Web victims don't know what's hit them.

Another one of those victims is a small-business owner in Michigan. She owns a retail toy store and runs a simple Web site where customers can buy toys online. Her Web site had been hacked using the same iframe vulnerability. When I spoke with her last week, she seemed confused by and disinterested in the complexity of the threat. Last time I checked, she had not removed the vulnerability from her site.

Load2Load Hack Jobs

A sample of a hacker's code.
The trick these hackers use is to create a tiny, 1-by-1-pixel element on a Web page that links to a third-party Web site. The hacked site doesn't appear to be booby-trapped, enabling the hacker to keep a low profile. All the bad guy has to do to launch an attack is to load up the rigged site with malicious code; anyone who then visits the site is prey to a drive-by download.

Cybercriminals are no longer mainly interested in defacing Web sites they break into, says Roger Thompson, chief researcher for Exploit Prevention Labs. Today they are more intent on quietly infecting PC users through vulnerabilities in Microsoft's Internet Explorer browser.

In the case of the 130 sites McAfee SiteAdvisor has been watching, hackers used a site called Load2Load.net (which is now dormant but should still be considered risky to visit) as a central repository for malicious code.

On Web site message boards, people are reporting that sites hacked via Load2Load have caused their PCs to freeze, at which point their machines have become infected with malware. Many complain of getting hit with the JS/Exploit-BO.gen Trojan, which can give a hacker control of an infected PC.

Load2Load has not been active since early May, but hackers typically try to keep security experts guessing. They often lie dormant for months, and then spring into action, actively distributing malicious code for only a day before going back into hibernation.

One-Fourth of Net Users Unprotected

A recently updated browser would most likely block malware from infecting a PC. But hackers hope that Web surfers who haven't installed the most recent Windows software patches or antivirus software will become their next victim.

Thompson says a hacker program called WebAttacker is being planted on Web sites across the Internet. The program checks each site visitor's browser for vulnerabilities, and then tries to use one to take control of the PC.

Thompson estimates that tens of thousands of sites like Estrada's and Walter's have been hijacked and are unwittingly poised to infect PCs whose security software is out of date. Once the cybercrooks take control of your PC, they can do any number of illegal things. Hackers have been known to plant spyware on PCs to steal an identity, to plant adware, or to turn a PC into a spam-spewing zombie.

"If you don't have the most up-to-date Windows Update patch or virus definitions, you may get stung by one of these sites," Thompson says.

According to a Jupiter Research survey of 2200 PC users, 24 percent did not have antivirus software installed on their PCs. In single-PC homes, that number jumps to 29 percent.

Joe Wilcox, a security analyst with Jupiter, points out that there is no way to tell how many of those who do report using antivirus software actually update it on a regular basis. Doubly troubling, Wilcox says, is the changing nature of Web-based security threats.

If you have the most recent Windows operating system patches and have updated your antivirus protection, your PC is in great shape.

Protection Tips

One way to protect yourself from Web threats without obsessing about your PC's security deficiencies is to use programs that put extra locks on your Web browser.

One excellent option comes from McAfee SiteAdvisor, which I have written about in a previous column.

Another option comes from security firm Amust: Its 1-Defender program attempts to lock down a browser so that when malicious code attempts to infect your PC, it hits a dead end. Other entrants include GreenBorder's GreenBorder Pro and Exploit Prevention Labs' SocketShield.

Both 1-Defender and GreenBorder Pro protect your PC by building a wall around Internet Explorer that prevents it from interacting with the rest of your computer. The companies each claim their product can do that without crippling your browser or its functionality.

GreenBorder works by creating a virtual session, which allows you to surf safely. Once you're done, you can reset your browser.

SocketShield works differently: It downloads data to your PC from a database of known exploits, which helps it recognize a threat before it lands on your system. The program does this by scanning Internet traffic in real-time and neutralizing the threat before it gets to your browser. After a 15-day free trial period, the product costs $29.95 for the first year, and $19.95 per year thereafter.

The sky is not falling in cyberspace. Security experts say Internet threats have always been with us--we just haven't been as aware of the problems. The good news is consumer awareness is up, and so are the number of tools on the market to protect PCs, says Terri Forslof, manager of security response for security firm TippingPoint.

  
Shop Tech Products at Amazon