Month: November 2015

Ad Fraud Botnet Might Cause $3 Billion in Damages to Online Advertisers

Posted on

ad-fraud-botnet-might-cause-3-billion-in-damages-to-online-advertisers-496377-2

Xindi botnet still well alive and kicking after one year
Online advertisers are at risk of losing billions by the end of 2016 if they don’t find a way to stop the Xindi botnet from spreading, a botnet that leverages flaws in the OpenRTB advertising protocol to boost its owner’s ad revenues.

OpenRTB is a protocol used for internal communications in online advertising. The protocol, in a simplified explanation, is used to interconnect advertisers, ad servers, and websites where ads need to be displayed.

The Amnesia bug, a flaw in the OpenRTB protocol

For the past year, a flaw in OpenRTB (CVE-2015-7266 – also known as the Amnesia bug) allowed (and still allows) an attacker to listen to OpenRTV ad messages but hold back receipt notifications for hours.

When weaponized inside malware, like the one used with the Xindi botnet, the Amnesia bug allows an infected machine to request numerous ads from the same advertiser and hold back notifications, making the ad network believe the ad failed and did not show. Later, when the notifications are released, the ad network is on the hook to pay all the impressions, even if not all ads were rendered inside a Web page.

Pixalate, an enterprise security and analytics platform, estimates that between 6 and 8 million computers have been infected with this malware, in more than 5,000 organizations.

Xindi botnet going after “reputable” targets

The Xindi botnet operators seem to be specifically targeting machines that are part of reputable Fortune 500 companies, universities or government agencies.

This is for two reasons. Advertising networks usually don’t expect to see ad fraud from these targets and have fewer monitoring tools pointed at them, and all the aforementioned organizations have access to superior broadband connections when compared to home users.

Xindi botnet is active for more than a year

First signs of Xindi-powered attacks were recorded as early as October 29, 2014, and then again in quick bursts in following months like December 2014, March 2015, and August 2015.

Most infected targets are in the US and are usually running Windows 7 or Windows XP. The list of top affected advertisers includes big names like Uber, Home Depot, McDonald’s, Honda, Pandora, Monster, Verizon, and Nissan.

Pixalate estimates that if ad networks don’t fix the OpenRTB protocol flaw that permits this type of attack to be carried out, online advertisers could lose up to $3 billion / €2.8 from fake ad impressions by the end of 2016.

The Xindi botnet step-by-step explanation

The Xindi botnet step-by-step explanation

Source:news.softpedia.com

Criminal are mostly hacking-by-numbers with exploit kits

Posted on

Web scum build command and control mountain; bods mulls pending large-scale attacks.

Exploit kits are dominating the criminal hacking industry, but even though code fiends prefer colour-by-numbers cracking kits that isn’t stopping them from assembling a vast command and control army domain name servers linked to popular kits are up 75 percent in the third quarter compared to 2014, according to a report.

infosec_4565645645656456

It could lead to a flood of attacks should web scum take advantage of the available command and control infrastructure

Angler was the worst offender among exploit kits while the Matsnu domain generation algorithm played the biggest hand in the new command and control infrastructure.

Magnitude, Neutrino, and the popular Nuclear exploit kits helped bump the figures along in what was an increase on last year but a slight fall on the second quarter of 2015.

“The Infoblox DNS Threat Index in 2015 continues to remain well above the average for the previous two years, indicating that cybercriminals are continuing to expand their infrastructures,” say the authors of the Infoblox and IID report.

“Exploit kits and phishing remain significant components of the index because these techniques have been successful for malicious actors.”

The cost of buying into the exploit game has dropped from more than US$10,000 to about $1000 or less, depending on the kit.

As this reporter noted in June, security bods at Trustwave reckon web crims can clear a whopping US$84,000 a month for a paltry US$5400 outlay through the use of exploit kits to deliver malware and ransomware.

Crims would need to shell out US$3,000 for the ransomware, US$1800 for a hacked high traffic site, US$500 for an exploit kit like RIG and US$600 for anti-anti-virus fuzzers over a month to hit their profit targets.

Source:http://www.theregister.co.uk/

Why the CIA wanting encryption backdoors is a failure of leadership, not intelligence

Posted on

Analysis: The question shouldn’t be if encryption should have backdoors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.

It took about three days for the CIA director and former intelligence officials to reignite the debate over the use of encryption, with some speculating that it may have been the reason why French and other Western intelligence agencies were unable to prevent the Paris attack earlier this month.

cia

The attack, the greatest assault on French soil the end of World War II, left 129 dead and hundreds injured.

French prosecutors leading the investigation said Saturday that the final body count may rise. The motives of the attackers and whether or not they used encryption were not confirmed by authorities.

That didn’t stop sister-site CBS News contributor and former CIA deputy director Michael Morell from stating, on little more than a hunch — apparently, that the perpetrators of the attack “used encrypted apps to communicate.” (Disclosure: ZDNet is also owned by CBS.)

He said:

“Commercial encryption. . . is very difficult — if not impossible — for governments to break. The producers of this encryption do not produce the key for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.”

He, like many others before him, laid the blame at the steps of the companies who, inclined by or regardless of Edward Snowden’s leak to journalists two years ago of classified materials detailing the intelligence community’s mass surveillance programs, want to keep users’ data secure and protected.

To Morell’s credit, his remarks were somewhat tame compared to Fox News contributor Dana Perino, who said on Twitter about Snowden: “F**k him to you know where and back.” (Fox News’s slogan is “fair and balanced.”)

Wired’s Kim Zetter, who wrote a strong rebuttal of the anti-encryption brigade’s controlled and often contradictory rhetoric, pointed to vague comments made by incumbent CIA director John Brennan, who said on Monday:

“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it. I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve.”

He added:

“And in the past several years because of a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability collectively internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call, particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence security services are doing by some quarters that are designed to undercut those capabilities.”

The “too-long, didn’t read” version is, it’s Snowden’s fault the tech companies are pushing for stronger security, and he hopes that terrorist attacks will shift the public opinion in favor of open, unencrypted, and readable communications to both the intelligence agencies and hackers alike.

He neglects to mention that in the months prior to the September 11 attacks, al-Qaeda was known to have used encryption in which “may lie the… blueprints of the next terrorist attack against the US or its allies.”

It’s no wonder that intelligence officials, who have since the attacks in 2001 striven for a “collect it all” mantra about data collection on law-abiding citizens, are calling for backdoors in strong, uncrackable encryption.

Traditionally, when terrorists were successful, it used to be a “failure” by an intelligence agency or government.

After the September 11 attacks, people said the government did not not know anything about them in advance which former insiders called an intelligence failure. British intelligence agency MI5 said it was a “lack of resources” that the five suicide bombers were not caught prior to their attacks on the London subway system in 2005. After the chaos of the Boston bombing, the biggest terrorist attack on US soil since 2001, the FBI was accused of intelligence-sharing shortcomings.

Since 2013, when you first heard Edward Snowden’s name, the government finally had a scapegoat. Any person or company who acts in his name, or doubles-down on security in the wake of the leaks is now to blame, accused of being traitorous, or impeding investigations or intelligence gathering.

Yet, in the latest attack, encryption has yet to be determined as a cause — or even a factor.

As Vice notes, there are more than enough reasons why intelligence failures happen — in spite of strong encryption: a lack of sharing intelligence across borders, a lack of language-speaking translators, and a deluge of data that authorities struggle to sift through.

Even former National Security Agency employees turned whistleblowershave said the daily deluge of data drowns analysts in too much information, meaning finding that needle in the vast haystack of intelligence is impossible.

Yet that bulk dragnet of metadata may not be the answer. It may have been “designed to detect a Mumbai/Paris-style attack,” according to a tweet by former NSA general counsel Stewart Baker, but as intelligence expert Marcy Wheeler notes, simply, “it didn’t.”

With a number of reportedly missed opportunities from sifting through so much intelligence that they can’t identify potential attackers before they struck, the notion of wanting access to even more intelligence is weak, and diversionary at best.

The intelligence community is fighting a public debate it never wanted in the first place. The question shouldn’t be if encryption should have backdoors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.

If the administration’s intelligence directors are demanding access to even more data than their agencies know what to do with, that points to a failure of leadership rather than a fault of intelligence.

Source:http://www.zdnet.com/

High-Frequency Sounds Embedded in Ads Used to Track Users Across Devices

Posted on

Inaudible sounds, the future of online user tracking
CDT (Center for Democracy & Technology) has alerted the FTC (Federal Trade Commission) about the existence of a privacy-intrusive, hidden high-frequency audio cross-device tracking technology.

According to an official complaint filed by the CDT, the privacy watchdog is tattling on advertisers like SilverPush, Drawbridge, and Flurry, online companies that deploy ads that squeal high-frequency sounds from the devices they’re loaded on.

The CDT says that these ultrasonic sounds scan the room for other devices like phones, tablets, TVs, computers, and wearables, effectively tying their presence to a browser cookie, an IP, and indirectly a user.

Whenever the device owner accesses a page with an ad from these companies from other handsets, the ad network will be able to recognize him based on the device’s fingerprint in their database and the presence of some tracking code left behind by the ultrasonic sounds emanated from previous visits via other nearby devices.

high-frequency-sounds-embedded-in-ads-used-to-track-users-across-devices-496256-2

The entire technology is quite questionable and would allow advertisers to track users even if they don’t want to be tracked. Additionally, the practice also doesn’t include any options that users can tick and be left out of the tracking program.

A questionable practice, unknown to many, even the FTC

While advertisers are actively interested in delivering more efficient ads, users may not see it as such. A tracked user may not want personal Web browsing and TV watching habits stored in such fine detail on an advertiser’s unsecure server somewhere online.

The CDT says that as of April of 2015, SilverPush’s ultrasonic tracking software (SDK) has been embedded in 67 mobile apps, allowing the company to track 18 million smartphones and an unknown number of nearby devices.

“CDT is unaware of the existence of any current process for users to identify when probabilistic tracking is being used or meaningfully opt out. This represents a significant infirmity for any type of privacy protection,” say CDT representatives. “As such, the entities engaged in probabilistic tracking merit careful scrutiny  from the FTC.”

The FTC has officially reviewed CDT’s complaint today, and will be making a formal announcement in the following days.

Source:http://news.softpedia.com/

Private Facebook posts illegally hacked by NSW police

Posted on

The NSW Police Force illegally hacked the private Facebook account of a Sydney man in a move branded a reprehensible and  “criminal offence” by a magistrate.

After four months of illegal police surveillance on a closed Facebook page, Rhys Liam Halvey was arrested and charged with three counts of using a carriage service to offend police and a further three counts of publishing an indecent article.

1447670457049

The surveillance tactics were later supported in court by one of the highest ranking police officers in the state.

The “indecent” posts included a raunchy image of the American pop star Miley Cyrus that had been superimposed on a photograph of a serving officer. After Sydney magistrate Roger Brown warned that a “criminal offence” had been committed by the “unauthorised access”, a senior member of the NSW Police hierarchy attempted to intervene with two sworn affidavits “supportive” of the actions.

But all six charges have now been withdrawn and dismissed. In ordering costs against police, Magistrate Brown described the conduct as “reprehensible” and the charges as “trivial.”

“Exactly how widespread is this snooping?” asked Mr Halvey’s barrister, Andrea Turner, in a formal complaint to the Police Integrity Commission, which has now been referred back to the police, by the NSW Ombudsman, for investigation.

“There is no difference to the police trespassing on a Facebook page for four months and my steaming open my neighbour’s mail in the hope of one day finding something, anything, to report to police.”

NSW Council of Civil Liberties president Stephen Blanks said public confidence in the police was being “undermined” by an inability to acknowledge the occasions when “it does the wrong thing.”

“How deep in police culture is this willingness to break the law?” he asked. “Even after they have been caught out, it would appear no adverse consequences are going to be suffered by those responsible because the illegal actions are supported by police at the most senior level.”

On November 29, 2013, NSW Police Senior Constable Daniel Moss began spying on a closed Facebook page belonging to a “Rhys Brown” using someone else’s user name and password. The prying continued until March 31 last year, when several “derogatory” posts appeared.  They featured a NSW Police infringement notice together with photographs of several serving officers, taken in a Sydney street setting.

One image carried a large sum of cash and words to the effect of: “Here’s my $25,000 for your $101 fine.” Another image depicted Miley Cyrus “twerking” in front of an officer.

Though he denied being Rhys Brown and the owner of the posts, Mr Halvey was charged. During a hearing in April, Magistrate Brown said to Constable Moss: “You use the term ‘monitored’ the Facebook account of Rhys Brown … you went into that account frequently?”

“Yes, I did” replied the officer.

“So … you didn’t obtain a Supreme Court warrant … you didn’t obtain any judicial authorisation to invade the privacy of Rhys Brown’s Facebook, did you?”

“No.”

It was under cross examination that he admitted to using someone else’s user name and password.

When the police prosecutor sought an adjournment so the Crown could argue the “public immunity aspect” of certain police “methodology” used to “access data”, Mr Brown said: “Police methodology doesn’t permit the police to commit crimes, it’s as simple as that.”

Several weeks later, a senior police official stepped in with with one “confidential” affidavit and another open  in which he relayed previous support for the investigation. He also requested the officer be excused from further cross examination “about how certain Facebook posts were obtained”, adding it would be “injurious” to the public interest if “those questions were to be answered”.

Mr Brown rejected the immunity application. In September, the case was withdrawn and dismissed with $14,429 in costs ordered against the police.  A NSW Police spokesman said on Friday an investigation was “currently running.”

Source:http://www.smh.com.au/

EL DF, FOCO DE CIBERATAQUES

Posted on

La capital y el Edomex reúnen 53% de estos delitos. Quienes los cometen apuntan principalmente a operaciones comerciales.

Una persona decide comprar algo por internet. Días después, se da cuenta de que la tarjeta de crédito con la que pagó fue usada sin su consentimiento para otras operaciones. En resumen: se ha convertido en víctima de un ataque cibernético.

El Instituto Internacional de Seguridad Cibernética (IICybersecurity) define los ciberataques como aquellas acciones que buscan desestabilizar los dispositivos o sistemas conectados a la red. La diferencia con el ciberterrorismo es que este último se enfoca en atacar los sistemas vinculados con la infraestructura y los servicios críticos para una nación: comunicaciones, defensa nacional, energía eléctrica, suministro de agua, transporte, etcétera.

David Thomas, gerente del organismo en México, señala que en lo que va del año en el país se han registrado más de 11 millones de ataques cibernéticos. De ellos, 53% se concentra en el Distrito Federal y el Estado de México.

portadaparaweb-02

Para el experto, algunas razones por las que ambas entidades encabezan la lista son que en las dos hay más de 120 mil empresas que manejan datos personales y confidenciales, lo que las hace un blanco atractivo para los hackers, y que en la capital están asentadas tanto oficinas del gobierno local como sedes de los poderes federales.

Otros motivos, según explica Thomas, son que en la Ciudad de México hay más dispositivos móviles y equipos conectados a internet que en otras localidades del país, y que cada año más de 13 millones de turistas llegan a territorio capitalino.

“Los viajeros usan, en gran medida, tarjetas de crédito, y éstas resultan un blanco ideal para los hackers, quienes emplean ataques de malware POS [en puntos de venta] para robar datos bancarios”, dice.

Seguridad rezagada

Según el Índice mundial de ciberseguridad y perfiles de ciberbienestar, publicado en abril de 2015 por la Unión Internacional de Telecomunicaciones (ITU, por sus siglas en inglés), México está rezagado en seguridad cibernética, lo que representa una amenaza para el resguardo de la información en comparación con otros países.

Los datos de 2014 colocaron a México en el lugar 18 de 29 en el listado de la ITU, que evaluó un total de 100 países, muchos de los cuales empataron en las mismas posiciones. Lo anterior significa que México está debajo de naciones de América Latina como Costa Rica, Ecuador, Brasil y Uruguay.

Por otra parte, de acuerdo con el IICybersecurity, México es el segundo país con mayor número de ataques cibernéticos en la región, sólo después de Brasil.

En 2015, los ataques cibernéticos a nivel nacional crecieron 63% respecto de 2014, detalla Thomas. El ataque denegación de usuario (DDoS), el malware POS, la publicidad con malware, el fraude electrónico comercial, el robo de identidades y la extorsión con ransomware han sido las formas más usuales de ataques cibernéticos.

Juan Carlos Montesinos, director de la Unidad de Ciberdelincuencia de la SSPDF, explica que la policía capitalina da orientación a los ciudadanos afectados y que quien investiga estos delitos es la Policía Federal.

Víctimas de los hackers

Los principales segmentos afectados por ciberataques en la Ciudad de México durante este año han sido las empresas privadas, las instituciones de gobierno y las organizaciones académicas, de acuerdo con el IICybersecurity.

Del total de ataques registrados este año, 45% estuvo dirigido a empresas privadas (bancos y hoteles, por ejemplo) y 35% a distintas dependencias de gobierno. El resto corresponde a la academia y a particulares.

Algunos expertos, sin embargo, sostienen que la mayoría de las transacciones que se realizan en línea es segura.

Las principales barreras para combatir los ataques cibernéticos, señala Thomas, “son falta de soluciones de seguridad informática, la carencia de una legislación adecuada y la falta de conciencia entre la población general sobre seguridad cibernética”. Para evitar ataques cibernéticos, las agencias de gobierno y empresas privadas deben trabajar en conjunto para llevar a una mejor colaboración y comunicación.

A pesar de lo anterior, comparada con otras naciones, la cifra de ataques cibernéticos en México aún es muy baja. EU recibe la mayor cantidad de ciberataques en el mundo, con un millón de incidentes diarios y la ciudad más bombardeada del planeta: Florida.

Para Thomas, en México es importante promover la cultura de la prevención y la denuncia ciudadana. Además, “el gobierno debe trabajar para desarrollar capacidades técnicas e investigativas integradas avanzadas, con una legislación estricta en el ámbito de seguridad cibernética, para utilizar plenamente tales capacidades”.

Ideas para legislar en la materia

Durante la actual Legislatura del Congreso, que inició el 1 de septiembre, legisladores han presentado dos iniciativas en este tema. Una de ellas fue la planteada por la diputada María Eugenia Ocampo Bedolla, del Partido Nueva Alianza. Dicho proyecto busca modificar el Código Penal Federal y aún está pendiente de análisis. La otra iniciativa fue la impulsada por el senador priista Omar Fayad, quien la retiró de comisiones tras la polémica que generó. Los opositores de la propuesta la tacharon como un intento por censurar contenidos en la red.

 Fuente: http://www.maspormas.com/2015/11/12/el-df-foco-de-ciberataques/

Distributed Vulnerability Search – Told via Access Logs

Posted on

Sometimes just a few lines of access logs can tell a whole story…

Many ongoing attacks against WordPress and Joomla sites use a collection of known vulnerabilities in many different plugins, themes and components. This helps hackers maximize the number of sites they can compromise.

Google Dorks

Do you ever think about how hackers find vulnerable websites? Probably the most common way to do it is using “Google Dorks” – special Google queries that use search operators to return sites that use specific software. For example, this inurl operator will help find [improperly configured] WordPress sites: [inurl:”wp-content” “index of”]

Almost every published exploit has its own dork that helps to find vulnerable sites.

Hackers just need to enter search queries and then parse search results. Sounds easy? Not really. There are quite a few obstacles.

Obstacles to Automated Searches for Vulnerable Sites

  1. Even if your search returned millions of web pages, you can’t get more than the first 1,000 of them from Google.
  2. Out of those 1,000, not all sites are vulnerable. Some use a patched version, some use a website firewall or a different means of protection that will make the attack fail, or Google has outdated information about the site that might have already removed the vulnerable software. All in all, hackers may expect that less than 20% of the search results will be really vulnerable (It may be more for new zero-day attacks and less for old and already patched vulnerabilities).
  3. To compile a big enough list of vulnerable sites, hackers either need to use multiple dork modifications for one exploit, or use multiple dorks for multiple exploits. Both methods assume a significant number of requests to Google search engine. However, as you might know, Google prohibits automated requests. They block IP addresses that submit many requests in a relatively short time. Even human visitors see this CAPTCHA from time to time.

 

google-unusual-traffic-captcha

So how do hackers overcome these obstacles?

Enter Access Logs

A few days ago my colleague Rodrigo Escobar checked access logs of one compromised site and shared a very short excerpt with me. Here are the three lines of logs that tell the whole story about how hackers scan the web for vulnerable sites:

5.157.84.31 - - [01/Oct/2015:13:07:39 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+revslider+site%3Amobi&num=100&start=600 HTTP/1.1" 302 2920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dcom_adsmanager+%2Blogo+site%3Adj&num=100&start=300 HTTP/1.1" 302 2916 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406 Firefox/23.0"
5.157.84.31 - - [01/Oct/2015:13:08:33 -0600] "GET /includes/freesans.fr.php?____pgfa=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwp-content+%2Brevslider+site%3Amobi&num=100&start=500 HTTP/1.1" 302 2928 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0"

If you are not fluent in the language of web server access logs, I’ll translate the story for you.

PHP Proxy

All three lines request the “includes/freesans.fr.php” file, which appeared to be an uploaded copy of the open source PHPProxy script.  The proxy provides you with a web interface to open web pages from the server’s IP, instead of your local IP address. It’s normally used to bypass country and other IP-based restrictions.

Requests to Google

In our case, the proxy is being called with the following parameters:

?____pgfa=https%3A%2F%2Fhttp://www.google.com%2Fsearch%3Fq%3Dwp-content+revslider+site%3Amobi&num=100&start=600

These are the URLs someone tries to open via the proxy. As you can see, they are URLs of Google search results pages.

Dorks

Our three lines of logs correspond to the following three queries:

  1. [wp-content revslider site:mobi]
  2. [com_adsmanager +logo site:dj]
  3. [wp-content +revslider site:mobi]

The first and the third queries look for WordPress sites with the Slider Revolution (revslider) plugin – vulnerabilities in revslider were responsible for a good number of the WordPress hacks we saw last year. Even one year later we see hackers exploiting the vulnerabilities in sites that still use old versions of this extremely popular premium plugin.

The second query looks for Joomla sites with the AdsManager extensions, some versions of which have an arbitrary file upload vulnerability.

Site: Trick

You might have noticed that the Google queries contained the site:mobi and thesite:dj operators, which limit search results to websites on .mobi and .dj top level domains. Does it mean that hackers only want to attack WordPress .mobi blogs and Joomla .dj sites? Of course, not!

Hackers use the site: operator only to bypass the Google’s 1,000 results per querylimitation. If they find 1,000 vulnerable .mobi sites, 1,000 vulnerable .com sites, 1,000 vulnerable .org sites. 1,000 vulnerable .net sites, and so on for every possible TLD, they’ll get far far more results than a mere one thousand that they could expect searching just for any WordPress site with the revslider plugin.

Distributed Search

The only downside of this trick is it requires more requests to Google which maximizes risks of getting blocked for automated queries. To work around this, hackers use these two methods:

  1. The &num=100 parameter that increases number of search results to 100 per page, which effectively decreases number of required requests by 10.
  2. The distributed system of proxies on compromised sites.

We can always tell that hackers don’t care about the sites they break into. They do it only to take advantage of the sites’ resources – be it visitors, server space, bandwidth, CPU, etc. In this case, the resource they need is the unique server IP along with the ability to install and run the PHP Proxy script.

So they have multiple hacked sites on servers with unique IP addresses where they installed the proxy script. To get results from as many Google queries as they want in a relatively short time, they need to make requests via the distributed network of their proxies rather than directly to Google.

This explains why we only see 3 such requests to the proxy script in the logs and why they requested search results in the middle of the result set (e.g. &start=300 or&start=600). Other search requests went to similar proxy scripts on other hacked sites.

Different User Agents

To make the search requests look even less suspicious to Google, hackers change the User Agent headers of each requests. This makes it look different as people share the same IP address (this may be a company behind a corporate firewall or users of an ISP with a dynamic pool of IP addresses).

Indeed, if you take a look at the logs the User Agent look the same at the first glance (Firefox on Windows 7), but if you look more carefully, you’ll notice that versions of Firefox vary:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406Firefox/23.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011Firefox/23.0

This resembles a corporate environment were most people use computers with similar configurations (with insignificant variations).

Conclusion

This was a story told by 3 lines of web server access logs. It helped us demonstrate

  • Why hackers no longer focus on just one vulnerability and try to exploit multiple different security holes
  • Why it is important to update and patch every single element of your site software
  • How hackers find thousands of potentially vulnerable sites in a short time
  • How they use compromised sites to find their next potential victims
  • Why your server IP address is a valuable resource for hackers

Help the Internet — keep your site secure. Don’t let hackers use it to hack even more sites.

We know that it’s hard to keep track of all the newly discovered vulnerabilities in every CMS, theme and plugin, and update them in a timely manner, let alone the zero-day vulnerabilities that don’t even have any patches. Don’t worry! We have you covered!

Our website firewall protects websites by blocking requests that try to exploit both known and even unknown security holes so that they don’t reach your site and can’t do them harm, even if you still use some vulnerable software (it’s still a very good idea to update everything ASAP).  Here you can learn more about how it blocks all vulnerability exploits.

Source:https://blog.sucuri.net