IT Security Blog

Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.

As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.

The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.

There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.

First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.

This provides hackers with multiple benefits. Among them:

• Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
• The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
• Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.

Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.

As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.

Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.

Just ask the AARP.

(Note: The above image is from a non JavaScript auto-redirecting post.)

It looks like the spammers using image spam are on the move again.

We've written before about spammers sending out links in emails that point to images that are being housed on free image hosting services like ImageShack and Flickr as vehicles for delivering image spam (see here and here for the original posts from May and June 2007).  Other folks have recently written about Google's Picasa image hosting service recently being abused in the same way. 

In a spin on blog spam, we've now recently started to see image spam being hosted on Windows Live Spaces, a blogging and social networking platform by Microsoft.  In this new tactic, spammers are setting up bogus Live Spaces, hosting an image in the blog section of the page, then spamming out links to the site.  So far the spam images that we have seen have had a debt consolidation flavor like this one:




Most of the spamvertised links that are pointing to these images are very obviously suspect and have the format of http://cid-[series of alpha characters].spaces.live.com (e.g. hxxp://cid-8bbc31c85ef08898.spaces.live.com/).  Current volumes of these types of emails is about 11,000 per hour.

There is no malware component associated with these campaigns that we are currently observing.  It is usually the next logical step so I wouldn't be surprised if we started seeing them soon.