Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Porn Operators Hijack Pages on AARP Website

Multi-pronged attack shows weakness in custom content management systems, researcher says

Hackers have launched a multi-faceted attack on the Website of the popular AARP organization, rerouting traffic from the seniors' association to pornography sites.

According to researchers at MX Logic, the attacks are designed not only to redirect traffic to porn sites, but to raise those sites' reputation on Google and other search engines.

"First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites," says Jeremy Yoder, director of Internet properties at MX Logic, who blogged about the AARP Website attacks on the company's Website yesterday. "Second, hackers employed bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles."

The hackers -- who probably are employed by the porn sites -- aren't necessarily trying to get seniors to view porn, Yoder observed. More likely, they hope to use AARP.org's search engine reputation to raise the porn sites' ranking within Google and other search engines, thus drawing more viewers to their sites.

"There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines," says Yoder. "This one was particularly notable because of the precise coordination of the attack, the exploitation of Web 2.0 functionality and the [search engine optimization] motivation, so we posted the information on our IT Security Blog."

MX Logic says it hasn't explicitly notified AARP about the attack. A query made to the association earlier today received no reply.

MX Logic, which studies Internet traffic patterns to detect threats from hackers and botnets, identified the attack when it found bots driving traffic toward the AARP site. "That was unusual, and when we saw the connection to the porn pages, we knew there was something going on," Yoder says.

But not all of the JavaScript redirects were sending users to the porn sites, Yoder observed. Some of them were just sitting on the site, still containing their pornographic names, and could be easily avoided by any visitor. "That's what told us there was an SEO angle here," Yoder says.

"Search engines rank sites based upon links from other sites," Yoder explains. "If a high-ranking site like the AARP (to which Google has assigned a page rank of eight out of ten) links to the hacker’s site, it increases the recipient site’s ranking and traffic. The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself."

In addition, the attack takes advantage of Facebook-like "community" features on the AARP site, which allow users to view each others' profiles, make online "friends," and so forth. "Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware 'anti-virus' applications to help them 'fix' the problem," Yoder says.

The AARP site is particularly susceptible to this sort of multi-pronged attack because it appears to be driven by a home-grown content management system, Yoder says. "It appears to be a custom system that's missing some baseline-level security capabilities. This site is accepting JavaScript code submissions, which are something that most off-the-shelf content management systems would have no trouble blocking."

AARP may have fallen into the trap that snares many sites when they seek to add Web 2.0-type capabilities, Yoder explains. "They choose their content management system based on its features, without giving much thought to its security capabilities," he says. "That can be a big mistake, especially if you are a site with a lot of visibility that might make a good target, like AARP."

Organizations that seek to build collaborative capabilities into their Websites should consider using systems that have been vetted by others, rather than a custom system, Yoder advises. "An open source solution has the benefit of a community behind it," he says. "WordPress has absorbed a lot of attacks, but now it's a lot stronger because of it."

And enterprises should always be sure to employ humans to monitor and moderate their communities and forums, rather than doing automated monitoring, Yoder adds. "In any community, there always will be people -- or bots -- that don't post in good faith," he says. "You need to have a person who can recognize those posts and police them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19317
PUBLISHED: 2019-12-05
lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVE-2019-19602
PUBLISHED: 2019-12-05
fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstr...
CVE-2019-19601
PUBLISHED: 2019-12-05
OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of an incorrect sprintf.
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.