Online forums hacked and misused on a large scale

Discussion in 'Community Forum Software' started by Brandon, Jul 19, 2012.

  1. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Online forums have, for some time, apparently been the target of hackers who inject additional code. However, the attackers aren't interested in publishing cool slogans or political messages, they're looking for money. They steal Google traffic from the forums and exploit this traffic via ads. Their main targets appear to be forums that are based on the vBulletin software.

    forums-hacked.jpg

    Unlike the "Look how cool I am" crackers, these attackers have very discreet working methods. They hide their code deeply within the system and ensure that their redirections don't attract much attention. Only users who visit forum pages for the first time via a search engine such as Google are redirected to a url123.info URL. This site initially displays a strange blocking alert ("Access denied") followed by some arbitrary text and then loads a full-page ad by InfinityAds. The ads are probably a direct source of income for the intruders even though each ad is only worth a few pennies. However, as some forum operators have reported that their traffic has dropped by more than 70 per cent, and the phenomenon seems to be a rather wide-spread one, the overall yield is likely to be considerable.

    Forum owners and regular forum users who access the pages directly never encounter the redirection. Neither will those who try to reproduce the issue by repeatedly clicking through to the forum via Google be redirected, because a cookie already exists for the page. One way of reliably reproducing the redirection is to carry out a search with a browser in private or anonymous mode.

    The German Typo3 forum is among the forums currently affected but some other reports date back several months. The precise cause remains unclear. Various contributors suspect a connection to vbSEO – a search engine optimisation extension. It appears that this extension was compromised in a way that allowed attackers to install malicious plug-ins via the forum administrator's account. In their FAQs, the vbSEO developers have provided a tool for testing vBulletin installations. The vBulletin support team recommends a slightly more generic vBulletin test.

    [Source...]
     
    cpvr likes this.
  2. benjaminp

    benjaminp Regular Member

    Joined:
    Mar 22, 2008
    Messages:
    218
    Likes Received:
    101
    Wordpress blogs are often targeted with the same redirects, so it's not a major shock it's spread to forums.
     
    cpvr likes this.
  3. cpvr

    cpvr Regular Member

    Joined:
    Aug 14, 2009
    Messages:
    3,219
    Likes Received:
    823
    I feel this thread is very important and was overlooked by some users, so here's a worthy bump.
     
    benjaminp likes this.
  4. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    I don't even remember posting it but I do agree, it's good stuff to watch over. :D
     
  5. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    I cleaned up this for two clients recently. What a bitch it was too but at least I got some decent billables. I wound up having to search the DB manually for the key phrases the hack used.
     
    Brandon likes this.
  6. DaUnknownAdm!n

    DaUnknownAdm!n Regular Member

    Joined:
    Mar 5, 2010
    Messages:
    254
    Likes Received:
    97
    Location:
    Brooklyn, New York
    Sounds like a nightmare!
     

Share This Page