Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Porn Operators Hijack Pages on AARP Website

Multi-pronged attack shows weakness in custom content management systems, researcher says

Hackers have launched a multi-faceted attack on the Website of the popular AARP organization, rerouting traffic from the seniors' association to pornography sites.

According to researchers at MX Logic, the attacks are designed not only to redirect traffic to porn sites, but to raise those sites' reputation on Google and other search engines.

"First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites," says Jeremy Yoder, director of Internet properties at MX Logic, who blogged about the AARP Website attacks on the company's Website yesterday. "Second, hackers employed bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles."

The hackers -- who probably are employed by the porn sites -- aren't necessarily trying to get seniors to view porn, Yoder observed. More likely, they hope to use AARP.org's search engine reputation to raise the porn sites' ranking within Google and other search engines, thus drawing more viewers to their sites.

"There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines," says Yoder. "This one was particularly notable because of the precise coordination of the attack, the exploitation of Web 2.0 functionality and the [search engine optimization] motivation, so we posted the information on our IT Security Blog."

MX Logic says it hasn't explicitly notified AARP about the attack. A query made to the association earlier today received no reply.

MX Logic, which studies Internet traffic patterns to detect threats from hackers and botnets, identified the attack when it found bots driving traffic toward the AARP site. "That was unusual, and when we saw the connection to the porn pages, we knew there was something going on," Yoder says.

But not all of the JavaScript redirects were sending users to the porn sites, Yoder observed. Some of them were just sitting on the site, still containing their pornographic names, and could be easily avoided by any visitor. "That's what told us there was an SEO angle here," Yoder says.

"Search engines rank sites based upon links from other sites," Yoder explains. "If a high-ranking site like the AARP (to which Google has assigned a page rank of eight out of ten) links to the hacker’s site, it increases the recipient site’s ranking and traffic. The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself."

In addition, the attack takes advantage of Facebook-like "community" features on the AARP site, which allow users to view each others' profiles, make online "friends," and so forth. "Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware 'anti-virus' applications to help them 'fix' the problem," Yoder says.

The AARP site is particularly susceptible to this sort of multi-pronged attack because it appears to be driven by a home-grown content management system, Yoder says. "It appears to be a custom system that's missing some baseline-level security capabilities. This site is accepting JavaScript code submissions, which are something that most off-the-shelf content management systems would have no trouble blocking."

AARP may have fallen into the trap that snares many sites when they seek to add Web 2.0-type capabilities, Yoder explains. "They choose their content management system based on its features, without giving much thought to its security capabilities," he says. "That can be a big mistake, especially if you are a site with a lot of visibility that might make a good target, like AARP."

Organizations that seek to build collaborative capabilities into their Websites should consider using systems that have been vetted by others, rather than a custom system, Yoder advises. "An open source solution has the benefit of a community behind it," he says. "WordPress has absorbed a lot of attacks, but now it's a lot stronger because of it."

And enterprises should always be sure to employ humans to monitor and moderate their communities and forums, rather than doing automated monitoring, Yoder adds. "In any community, there always will be people -- or bots -- that don't post in good faith," he says. "You need to have a person who can recognize those posts and police them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.