Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Porn Operators Hijack Pages on AARP Website

Multi-pronged attack shows weakness in custom content management systems, researcher says

Hackers have launched a multi-faceted attack on the Website of the popular AARP organization, rerouting traffic from the seniors' association to pornography sites.

According to researchers at MX Logic, the attacks are designed not only to redirect traffic to porn sites, but to raise those sites' reputation on Google and other search engines.

"First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites," says Jeremy Yoder, director of Internet properties at MX Logic, who blogged about the AARP Website attacks on the company's Website yesterday. "Second, hackers employed bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles."

The hackers -- who probably are employed by the porn sites -- aren't necessarily trying to get seniors to view porn, Yoder observed. More likely, they hope to use AARP.org's search engine reputation to raise the porn sites' ranking within Google and other search engines, thus drawing more viewers to their sites.

"There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines," says Yoder. "This one was particularly notable because of the precise coordination of the attack, the exploitation of Web 2.0 functionality and the [search engine optimization] motivation, so we posted the information on our IT Security Blog."

MX Logic says it hasn't explicitly notified AARP about the attack. A query made to the association earlier today received no reply.

MX Logic, which studies Internet traffic patterns to detect threats from hackers and botnets, identified the attack when it found bots driving traffic toward the AARP site. "That was unusual, and when we saw the connection to the porn pages, we knew there was something going on," Yoder says.

But not all of the JavaScript redirects were sending users to the porn sites, Yoder observed. Some of them were just sitting on the site, still containing their pornographic names, and could be easily avoided by any visitor. "That's what told us there was an SEO angle here," Yoder says.

"Search engines rank sites based upon links from other sites," Yoder explains. "If a high-ranking site like the AARP (to which Google has assigned a page rank of eight out of ten) links to the hacker’s site, it increases the recipient site’s ranking and traffic. The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself."

In addition, the attack takes advantage of Facebook-like "community" features on the AARP site, which allow users to view each others' profiles, make online "friends," and so forth. "Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware 'anti-virus' applications to help them 'fix' the problem," Yoder says.

The AARP site is particularly susceptible to this sort of multi-pronged attack because it appears to be driven by a home-grown content management system, Yoder says. "It appears to be a custom system that's missing some baseline-level security capabilities. This site is accepting JavaScript code submissions, which are something that most off-the-shelf content management systems would have no trouble blocking."

AARP may have fallen into the trap that snares many sites when they seek to add Web 2.0-type capabilities, Yoder explains. "They choose their content management system based on its features, without giving much thought to its security capabilities," he says. "That can be a big mistake, especially if you are a site with a lot of visibility that might make a good target, like AARP."

Organizations that seek to build collaborative capabilities into their Websites should consider using systems that have been vetted by others, rather than a custom system, Yoder advises. "An open source solution has the benefit of a community behind it," he says. "WordPress has absorbed a lot of attacks, but now it's a lot stronger because of it."

And enterprises should always be sure to employ humans to monitor and moderate their communities and forums, rather than doing automated monitoring, Yoder adds. "In any community, there always will be people -- or bots -- that don't post in good faith," he says. "You need to have a person who can recognize those posts and police them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...