Hijacked Websites by the Numbers

Two weeks ago, I had the chance to give a presentation about the danger of hijacked websites (you can download the presentation in French here). I used the talk to highlight various points which illustrate the extent of the problem.

Some numbers

70% of malicious links were found on hijacked websites in 2011 (Sophos, page 39). In 2012, Google is finding 9,500 newly malicious websites every day, mostly hijacked sites (Google, 2012). The Blackhole exploit kit alone is estimated to be present on several million websites per year (AVG, weekly count).

Nikkju, a web based worm that used SQL injection to spread, has infected about 200,000 websites. Lizamoon, which started propagating in 2010, infected about 1.5 million websites via SQL injection.


High profile victims

Since the hijacking of websites is mostly automated, websites of all types are getting compromised. Here are some of the high-profile websites that have been hijacked:

• 2012: French budget minister, Cleartrip (India), Computer World Mexico, and most of the top-1,000 websites blocked by Google, like blog.com (#649), fatakat.com (#699), ziddu.com (#802)
• 2011: MySQL, Geek.com, USPS, Lenovo India, etc.

The list of hijacked websites includes many governmental websites from all over the world, including the United States.

Vulnerable software

The attack surface of website is quite large, an attacker can target the CMS, its plugins, administration tools (PHPMyAdmin, Plesk, cPanel - tools which should not be publicly accessible), the web server, the FTP server, the DNS server, etc.

I looked at the number of CVEs issued in 2012 for the most popular software platforms in these areas:

• WordPress: 14 CVEs for the core, 42 for extensions, including security extensions that are supposed to make WordPress safer.
• Joomla: 7 in core
• Drupal: 20+ in core
• PHPMyAdmin: 5 - Gemenenet, a security company, was compromised through a vulnerability in PHPMyAdmin
• cPanel: 50,000 compromised through one attack
• Plesk: 1 CVE, but 50,000 websites compromised through it
• Apache: 30+ CVE (core and modules)
• BIND: 6 CVEs
• etc.

Some hosting companies were compromised as well: DreamHost (January 2012), ServerPro (February 2012), WHMCS (May 2012, provides billing and technical support to smaller hosting companies).

In your mail box

If you want some examples of hijacked websites redirecting users to malicious pages, you can take a look at your inbox. Just this morning, I received four similar messages about a fictitious payment sent to me through Intuit:

Malicious e-mail

All the links and buttons point to the same URL on a hijacked site:

• www.eyslerimaging.com/blog/wp-content/plugins/flickr-widget/iprprocsd.html (photography blog)
• www.odiseya.net/wp-content/themes/twentyten/bewpinfr.html
• user3.inet.vn/wp-content/plugins/iprprocsd.html

These pages redirect to the same malicious page hxxp://navisiteseparation.net/detects/processing-details_requested.php. This page runs a malicious Java Applet. Unfortunately, I could not retrieve the content a second time for further analysis.

This is just one of the many spam campaigns that lead visitors to a malicious site.