This week, hundreds of Web sites of the customers of Web hosting company iPowerWeb got compromised. This incident shows an interesting mix of hacking technology, Google index poisoning and social engineering.
A malicious third party added extra directories to the hacked Web sites and seemingly installed scripts in these new directories that will redirect victims to traffloader.info. This latter site will further redirect to sites that attempt to lure Internet users into installing a codec Trojan, a Zlob Trojan or rogue antispyware.
The redirection to the malicious sites with Trojans only happens when victims land on the hacked Web site via a Google search. To get actual traffic to the compromised sites, the hackers poisoned the Google index database with tens of thousands of hacked URLs. Yesterday, well-chosen queries into Google showed about 60,000 malicious URLs hosted on Web sites of iPowerWeb indeed.
One of the tactics used in poisoning Google’s index is that the malicious URLs appear as “normal” SEO (search engine optimization) spam Web sites to the Googlebot that crawls the sites. Normal Internet users, however, are confronted with a malicious redirection instead (when they arrive at the site via a Google search). So, here, SEO spam techniques are combined with Trojan infection chains and social engineering.
The mass compromise might be the result of a security breach of just a few servers of iPowerWeb. One possible scenario is that hackers got root permissions on shared webservers and were therefore able to modify webserver settings. Another scenario is that the hackers successfully installed a Trojan on an iPowerWeb server, that is able to change network traffic in a local area network. Once such malicious software gets installed, all Web sites hosted on different servers in the local area network may appear as compromised from the outside, while the contents of the Web sites were actually not changed at all on the physical hard drives. The attacker just injects his malicious code in the network traffic between the Web sites and Internet users.
The danger of these attacks shows the need for continuous scanning of servers at hosting facilities for malicious content like Trojans and exploits.