It is possible for your computer to be involved in criminal activity if it was infected and became part of a botnet. Now, cyber security firm Imperva has recommended that you harden your website against such attacks as well.
Hijacking Vulnerable Websites
Researchers at Imperva Defense Center has revealed a blackhat SEO campaign [PDF] in late March 2016. Imperva claims malicious hackers are involved in a botnet-driven SEO attack to illegally increase the SEO ranking of various adult websites and online pharmacies. They employ a variety of techniques to attack websites. The big three include SQL injection (SQLi), HTML link injection, cross-site scripting (XSS) and comment spam. Over 700 machines were part of the botnet to launch automated SQLi and HTML link injection attacks. At the time of the sampling, over 8 million malicious HTTP requests were recorded.
The attacks try to stay hidden from website owners and administrators. As a result, it has been hard to detect the attacks. The sites are not directly affected aside from SEO penalties. According to Imperva, this black hat campaign is still going on.
This is not the first time hackers have used infected websites for their own gain. Back in February, the official Linux Mint website was broken into. Hackers secretly distributed their version of the Linux Mint operating system that contained backdoors. In October, thousands of websites powered by eBay’s Magento platform for e-commerce were breached by using a zero-day exploit.
A research team from Katholieke Universiteit Leuven in Belgium and Stony Brook University in the U.S. found that hackers were hijacking advertisements on certain illegal live streaming websites to infect visitors with malware.
Malicious advertising, or malvertising, is increasingly becoming a big issue and presents a third contender in the fight between advertising companies and people using content blockers. Malvertising is not the only attack vector. The main way that websites are comprised are through flaws in the source code.
SQL injection means inputting specialized SQL database commands into a text field to read, modify or otherwise execute administrative tasks. In this specific instance, the hackers used a string of code to go through all the records of a website’s database and inject HTML text into the table, as seen below:
As part of the command, the website will hide the additional text so as not to alert visitors or owners. The web crawlers search engines use to index the web unknowingly crawl through these infected links and the attack can spread.
The computing power required to infect websites in this manner on a large scale means that the hackers would either need a super computer, supercluster or a botnet. A botnet is a virtual cluster of computers linked to a command and control server that the hacker can use to run distributed attacks, such as a DDoS (distributed denial of service) attack.
From November 2015 to March 2016 the Imperva researchers have recorded over 733,000 HTTP requests that are part of this campaign. At least 650 machines were discovered to be part of the botnet, with 223 used for at least 10 days and 157 machines were in use for at least 30 days.
Since the attacks took place over many months – and as the researchers noted, it is still going on – there are around 60 machines at any given moment under attack. As seen in the diagrams below, the number of machines fluctuated daily over the months but the number of websites under attack are between 40-70.
How Website Owners are Affected
Since the malicious code is invisible to website visitors and a successful attack does not disrupt the site, should the owners of these websites be concerned? Absolutely.
The actual code may not be seen, but the effects are. Infected links that send visitors to adult websites or show Viagra ads upset both visitors and owners of the website. Additionally, since the results of the SQLi affects the databases behind the websites and changes certain text fields, eventually something is going to break. The Imperva researchers also extrapolate and hypothesize that this new attack vector could be modified to spread malware instead of just infecting website source code, like a worm.
Detection and Mitigation
Methods of detecting and defeating these attacks include:
- Identify the SQL injection: Website owners can attempt to identify when their website database is accessed. For example, using signatures that match common SQL phrases and blocking them.
- Identify the HTML injection: Signatures that identify HTML injections can further identify the malicious campaign and also stop XSS.
- Identify the botnet: Website owners can gather information from security communities in an attempt to identify the IP addresses of the botnet hosts. This enables reputation-based identification of websites and blocking the malicious traffic from the botnet.
For further information, we recommend reading the white paper that Imperva researchers released here [PDF].