Government websites invaded by smut and spyware

A slew of government organisations and corporations are unwittingly helping hackers promote porn sites.

Targets as diverse as the Marin County Transportation Authority website in California and the Bank of Ghana have been unwittingly playing host to code that redirects surfers to smut as a result of insecure systems.

The tactic is aimed at increasing the search engine ranking of skin
flick sites. The offending content is normally hosted elsewhere.
However, some of the dodgy pages on compromised corporate servers
attempt to install malware onto the PCs of visitors.

A (safe to view) sample html page featuring in this type of attack can be found here.

Typically, the pornographic redirects are hidden deep within the
sites. Pages redirecting to smut sites were located via a Google search
in directories normally reserved for staff reports on the Marin County
website, for example. The front pages of the attacked sites remain
unaltered.

Brookhaven National Labs was discovered to be harbouring
redirections to pornographic sites last week. It promptly cleaned up
its act.

The initial attack on the Marin County Transportation Authority website prompted a temporary shutdown and cleanup operation on all California government websites on 2 October. Despite this, the site was compromised again late last week.

The site was purged on Monday, although how long it stays that way remains to be seen.

The Bank of Ghana website still harbours redirections to porn site.

Anti-spyware firm Sunbelt Software has being closely monitoring the attacks, chronicling its observations on its security blog.

Alex Eckelberry, president and chief exec of Sunbelt, told El Reg
that the porn redirection ruse is a common tactic. "These sites were,
or in some cases still are, hosting code that does redirections to
pornographic sites. Gangs are doing this to inflate search engine
results. It's similar to, but more aggressive than, link comment spam,"
he added.

It's unclear what vulnerabilities were used to compromise the
affected sites. DNS hacks, open admin portal (the suspected cause of
the initial Marin County attack), or simply poorly patched systems are
all possibilities.

"The hackers have automated bots that look for these
vulnerabilities. It's hard to pin the cause down to any one thing but
we think the same group was involved in the attacks on both Marin
County and the Bank of Ghana, based on the sites that are being
promoted," Eckelberry explained.