informa
4 min read
article

Porn Operators Hijack Pages on AARP Website

Multi-pronged attack shows weakness in custom content management systems, researcher says

Hackers have launched a multi-faceted attack on the Website of the popular AARP organization, rerouting traffic from the seniors' association to pornography sites.

According to researchers at MX Logic, the attacks are designed not only to redirect traffic to porn sites, but to raise those sites' reputation on Google and other search engines.

"First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites," says Jeremy Yoder, director of Internet properties at MX Logic, who blogged about the AARP Website attacks on the company's Website yesterday. "Second, hackers employed bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles."

The hackers -- who probably are employed by the porn sites -- aren't necessarily trying to get seniors to view porn, Yoder observed. More likely, they hope to use AARP.org's search engine reputation to raise the porn sites' ranking within Google and other search engines, thus drawing more viewers to their sites.

"There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines," says Yoder. "This one was particularly notable because of the precise coordination of the attack, the exploitation of Web 2.0 functionality and the [search engine optimization] motivation, so we posted the information on our IT Security Blog."

MX Logic says it hasn't explicitly notified AARP about the attack. A query made to the association earlier today received no reply.

MX Logic, which studies Internet traffic patterns to detect threats from hackers and botnets, identified the attack when it found bots driving traffic toward the AARP site. "That was unusual, and when we saw the connection to the porn pages, we knew there was something going on," Yoder says.

But not all of the JavaScript redirects were sending users to the porn sites, Yoder observed. Some of them were just sitting on the site, still containing their pornographic names, and could be easily avoided by any visitor. "That's what told us there was an SEO angle here," Yoder says.

"Search engines rank sites based upon links from other sites," Yoder explains. "If a high-ranking site like the AARP (to which Google has assigned a page rank of eight out of ten) links to the hacker’s site, it increases the recipient site’s ranking and traffic. The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself."

In addition, the attack takes advantage of Facebook-like "community" features on the AARP site, which allow users to view each others' profiles, make online "friends," and so forth. "Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware 'anti-virus' applications to help them 'fix' the problem," Yoder says.

The AARP site is particularly susceptible to this sort of multi-pronged attack because it appears to be driven by a home-grown content management system, Yoder says. "It appears to be a custom system that's missing some baseline-level security capabilities. This site is accepting JavaScript code submissions, which are something that most off-the-shelf content management systems would have no trouble blocking."

AARP may have fallen into the trap that snares many sites when they seek to add Web 2.0-type capabilities, Yoder explains. "They choose their content management system based on its features, without giving much thought to its security capabilities," he says. "That can be a big mistake, especially if you are a site with a lot of visibility that might make a good target, like AARP."

Organizations that seek to build collaborative capabilities into their Websites should consider using systems that have been vetted by others, rather than a custom system, Yoder advises. "An open source solution has the benefit of a community behind it," he says. "WordPress has absorbed a lot of attacks, but now it's a lot stronger because of it."

And enterprises should always be sure to employ humans to monitor and moderate their communities and forums, rather than doing automated monitoring, Yoder adds. "In any community, there always will be people -- or bots -- that don't post in good faith," he says. "You need to have a person who can recognize those posts and police them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.