Network News

X My Profile
View More Activity

Cyber Crooks Hijack Activities of Large Web-Hosting Firm

Organized crime groups have modified a significant share of the Web sites operated by one of the Internet's largest Web hosting companies to launch cyber attacks against visitors, Security Fix has learned.

Last month, Phoenix-based IPOWER Inc. was featured prominently in an unflattering report by StopBadware.org, a joint effort by Google, Harvard Law School's Berkman Center for Internet & Society and Oxford University's Internet Institute. StopBadware has identified more than 90,000 sites that attempt to install malicious software on visitors' computers via Internet browser security holes or programming tricks. When a user tries to click on one of these sites after they appear as Google search results, Google posts a warning page stating that the site has been spotted trying to attack previous visitors.

John Palfrey, a professor of Internet law at Harvard, said the report showed that about 90 percent of the sites flagged as serving "badware" appeared to be otherwise legitimate sites that had been hijacked by criminals.

"What we've seen is a growing and alarming trend where the majority of sites we're identifying [belong to individuals] who clearly have no intention of distributing badware," Palfrey said.

StopBadware found that about 10 percent of the sites in its database were operated by IPOWER. Security Fix found that the problem at IPOWER may be far worse than StopBadware indicated.

Like many other companies that offer low-cost Web site hosting services for about $5 to $10 per month, IPOWER hosts sites via "virtual servers." This allows multiple sites to be hosted using the same hardware. Virtual server setups are far more affordable than "dedicated" hosting services, where each Web site is assigned its own set of hardware.

Security Fix examined nine of IPOWER's virtual servers. They are identified in the chart to the left by the names assigned to them by IPOWER -- "CPanel1" through "CPanel8" and "Host16". These servers are home to at least 8,192 active Web sites, most of which appear to belong to individuals and small businesses. According to a Security Fix analysis, more than 2,650 of those sites -- or an average of 33 percent of all sites on each server -- included computer code designed to silently retrieve malicious software from a variety of online locations. Some of the download sites linked to in the unauthorized code were inactive at press time, while others were able to serve malicious software to visitors, most often in the form of spyware that steals passwords and financial data from a victim's PC.

IPOWER declined a phone interview for this story. But the company acknowledged in an e-mail that "over the past three months our servers were targeted. We take this situation very seriously and a diligent cleanup effort has been underway for many months already. We saw the StopBadware report on the day it came out and went to download the list to sweep it as quickly as possible. By looking at the list, it was evident that our cleanup efforts were already helping significantly. By the time we downloaded the list, there were already over a few thousand accounts less than what they claimed in their report."

IPOWER said the site hacks "came from a compromised server hosted by another company that was listed on the Stopbadware.org Web site. This impacted a higher percentage of accounts on each of these legacy third-party control panel systems."

The company claims to have more than 700,000 customers. If we assume for the moment the small segment of IPOWER servers Security Fix analyzed is fairly representative of a larger trend, IPOWER may well be home to nearly a quarter-million malicious Web sites.

Many of the IPOWER sites that were found with malicious Javascript code were sites that had not been modified or viewed by their owners for months or years. Bernard McGovern, a retired insurance consultant from Ocean Pines, Md., said it had been years since he'd been to his site, which initially was published in 2002.

Andy Gravina, a deejay from central Florida, first learned his site was infected three months ago when his anti-virus program alerted him that his own home page was trying to infect his computer with a virus.

Gravina said he contacted IPOWER about the malicious code. He said the company told him that it was his responsibility to maintain the security and integrity of his site.

"I said, 'Wait a minute, this Web page is housed on your servers, and it would seem you would have the responsibility to see that your servers are being checked with anti-virus programs'" Gravina recalled. "So the guy put me on hold and after a while he came back and said that the pages had been checked and that the offending code had been removed."

Gravina said he thought the problem had been taken care of, until he received a call from Security Fix notifying him that his site continued to host the malicious code.

While two of the malicious sites most commonly referenced by the compromised IPOWER servers were offline at the time of this publication, remote sites used to serve malicious software frequently go up and down as the attackers modify their operations, said Roger Thompson, chief research officer at Exploit Prevention Labs.

IPOWER declined to say exactly how the attackers infiltrated so many of its servers, or how long the malicious code has resided on infected sites.

"We are constantly responding and developing new measures to counter attacks and compromises from various off-shore hacking groups," the company said. "There are new attacks created from new sources every day. We can't control that. We can control how we handle them, and we are very proactive."

But a review of Gravina and McGovern's sites indicate that both virtual servers are running outdated, insecure versions of the Apache Web server software and PHP, a popular Web scripting language that many hosting companies provide for their customers.

The most recent version of PHP -- 4.4.7 -- has fixed more than five-dozen security holes since the version currently in use by IPOWER, PHP 4.4.2, which was first released nearly 16 months ago.

Large hosting providers should not be allowed to host tens of thousands of compromised sites for months at a time. There is little excuse for failing to apply long-overdue security updates to seal frequently targeted Web server software flaws, and no reason why hosting providers cannot keep closer tabs on the content being served by their customers.

An Internet service provider or Web host can take action within 48 hours if it receives a "takedown notice," under the Digital Millennium Copyright Act. The law protects network owners from copyright infringement liability, provided they take steps to promptly remove the infringing content. Yet ISPs and Web hosts often leave sites undisturbed for months that cooperate in stealing financial data and consumer identities.

There is no "notice and takedown" law specifically requiring ISPs and Web hosts to police their networks for sites that may serve malicious software. Security Fix readers - do you think that such a law would be useful or effective?

Service providers may be able to get better control of malicious activity on their networks if they made a more concerted effort to stratify abuse reports. For example, most ISPs and Web hosts have a single e-mail address for reporting suspicious, hostile or illegal behavior. It is usually something like "abuse@companynamehere.com." But consider the technicians who sift through those complaints for the truly serious ones. In all likelihood, the spam complaints will be the most numerous, followed by complaints about phishing and unauthorized network scanning. One method of improving response times to abuse reporting might be to have all phishing reports go to phishing@isp.com, and all malicious software reports be sent to malware@isp.com, for example.

Update, 1:56 PM ET: A reader just alerted me to the inaugural post of Google's new Online Security Blog, which delves into the problem of hacked, legitimate sites serving up malicious software.

By Brian Krebs  |  May 23, 2007; 10:30 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Scammers Target Elderly With Aid of Data Brokers
Next: Phishing Attacks Soar as Scammer Nets Widen

Comments

Brian, great analysis on the comparison to takedown notices of copyright material versus malware hosting.

You mention that web hosting companies may sometimes get overwhelmed with reports of abuse. One way to stop that is to actually reduce the amount of abuse notification by going through a third party such as Mynetwatchman.com

But I don't think web hosting companies need to have special notification to know when they are out of date with their hosted software. Bugtrack lists are public for a reason. Lots of enterprises subscribe to vendor patch notifications as they should. So why can't companies like Ipower?

Bad ISP's know when they have poor security practices. Refusing to patch or upgrade on a regular cycle is not only bad practice, but possibly criminal from a liability standpoint. And bad webhosters need to be called out.

Im afraid that it may take one large webhosting provider being sued for assisting in identity theft to get them to patch with regularity. Ask John Palfrey if there could be a civil or criminal liability for negligence by refusing to patch.

Posted by: BelchSpeak | May 23, 2007 12:02 PM | Report abuse

You imply that Apache is at fault, but provide no proof.

Perhaps the fault actually lies with CPanel:
http://www.securityfocus.com/bid/22915/info ,
http://www.securityfocus.com/bid/22474/info ,
etc.

Posted by: some guy | May 23, 2007 12:47 PM | Report abuse

Do you have to be using Google to be alerted about a site on the badware list before you visit it? It would be more useful if that list was incorporated into a browser add on (like site advisor for example) so you'd be warned when you are cruising the web without using a search engine.

Posted by: dude | May 23, 2007 1:20 PM | Report abuse

I visited a large web hosting firm several years ago (it hosted house-hold name websites as well as thousands of smaller unknown sites). Enterprise customers had their own machines that they fully controlled (and the staffing could merely power-cycle the machines). Those that let the hosting company manage their machines all shared the same password. Thousands of users/machines with the same username/password. All it takes is one customer to escalate privs to own everything.

Good reporting, and I have the feeling this is the tip of the iceberg in regards to security with firms such as this.

DA

Posted by: DA | May 23, 2007 1:23 PM | Report abuse

The linked article at stopbadware.org doesn't have the IP address ranges for iPower or any of the other four guilty parties.

If you want to identify their IP address ranges and add them to your firewalls, go to the WHOIS database at arin.net and enter the hosting company's name (e.g. "iPowerweb") in the "Search WHOIS" box.

Posted by: Ken L | May 23, 2007 3:58 PM | Report abuse

"You imply that Apache is at fault, but provide no proof.

Perhaps the fault actually lies with CPanel:
http://www.securityfocus.com/bid/22915/info ,
http://www.securityfocus.com/bid/22474/info ,
etc."

And this is proof that it wasn't Apache??? Anyone with a mouse can link to advisories.

Until the attack vector is identified, any such speculation is just that - CPanel, Apache, PHP, Joe Insider, or otherwise.

I might be unnecessarily critical of your assumption but wow...look before you leap.

Posted by: Some Guy2 | May 23, 2007 4:07 PM | Report abuse

Great article!

This is only part of the problem. While I wholeheartedly agree web-hosting providers should be required to properly secure their sites proactively, another big part of the problem are individual computer users who fail to proactively secure their own systems allowing themselves to be easily compromised. It's all about personal responsibility! By no means can we expect someone else to protect us from all the bad stuff out there. Too many users allow themselves to be low hanging fruit that always get picked time after time! A few actions can greatly reduce your "attack surface":

1. (MOST IMPORTANT), stop using an administrator account, use a LUA (limited user account).
2. For home users or those not managed by an IT group, consider using a customized "hosts" file (ex. http://www.mvps.org/winhelp2002/hosts.htm)3. Use a quality Antivirus program and set it to update DAILY!
4. Practice safe computing. (ex. look both ways before crossing the street)

Treat computer security like physical security! Be proactive! Be aware of your computing environment! Don't let your guard down! A little paranoia is healthy!

:::stepping off soapbox now::::

Posted by: TJ | May 23, 2007 4:40 PM | Report abuse

The custom hosts file URL should be:

http://www.mvps.org/winhelp2002/hosts.htm

Posted by: TJ | May 23, 2007 4:44 PM | Report abuse

Websense started tagging iPowerWeb hosted sites as "Malicious Web Sites" in their Web filtering software package back in October 2006. Good for them, but when I asked them to make a statement on the extent of iPowerWeb's problems last month, they declined.

Personally, I believe this story has been suppressed. There is no excuse for this having gone on so long and the CxO's of iPowerWeb should be held accountable.

Posted by: Net Nazi | May 23, 2007 5:57 PM | Report abuse

Great story, Brian!! I was seeing a lot of hacked sites hosting malware at iPowerWeb over a year ago. I think the problem has been going on there for a long time. I also saw complaints from iPowerWeb's customers that they were unable to get help from the company -- they were told the same thing Gravina was told even though their sites were on shared servers where the customer has no ability to update the server side apps, like php and Apache.

You are exactly right about companies needing to triage abuse reports properly in order to get most serious problems dealt with in a timely manner. Case in point, this thread at ThePlanet's forum.

http://forums.theplanet.com/index.php?showtopic=86667

ThePlanet was named in the StopBadware report as having the third largest number of malware sites. I personally dealt with one case where it took 6 days to get a site down there.

Posted by: suzi | May 23, 2007 9:57 PM | Report abuse

I've read your article about IPOWER people and I can't help but smiling.
That site is a 'classic' hosting of many Phishing sites we've seen here.
All them legit but compromised sites. It is so easy for fraudsters that
they don't 'own' only one site, but many of them at the same time to
have a redundant takedown-resistant structure. 48 hours of response when
they're warned about a phishing site? Believe me, _many_ people can get
robbed in a 48 hours period.

Posted by: Julio C. | May 24, 2007 10:17 AM | Report abuse

Large ISP abuse mailboxes are mostly processed by automated filters.
More mailbox addresses would just get deluged by duplicate reports.
People making complaints tend to Carbon Copy every address they can find, rather than carefully select only one email address. So abuse@, security@, root@, postmaster@, ceo@, and so on.

Posted by: Sean D. | May 24, 2007 12:16 PM | Report abuse

Brian,
Off topic, but, we received a critical update from Microsoft (at least I hope it was Microsoft) overnight Tuesday (May 22). Not a, "Patch Day," so it seemed strange, and it seems even stranger you have yet to mention it.
Any idea what's up?

Posted by: dijit44 | May 24, 2007 2:28 PM | Report abuse

TJ:

They also may want to check our hosts file which is a superset of the MVPS hosts file (but I feed everything I find to Mike):

http://www.hostsfile.org/hosts.html

Other good blocking hosts files are:

http://sysctl.org/cameleon/hosts
http://hphosts.mysteryfcm.co.uk/

There is enough blame to share all the way around here.

Users should: Stop using Internet Explorer and use Firefox or Opera browsers instead. If they use Firefox, they should consider NoScript. I can guarantee they aren't going to use NoScript until until they get whacked several times. Keep browsers up to date. Keep all browser plugins up to date. Most AV programs are very good at keeping up to date and Kaspersky checks every hour by default. Actually, by moving to some version of Linux or buying a Macintosh, a LOT of the malware problems go away. I estimate at least 70% and as much as 85% of the hosts we block that disseminate malware do NOTHING on those platforms unless you happen to be running a Windows application under WINE on Linux. You should also consider pointing yourself to OpenDNS servers which will warn of some of this stuff (but it is incredibly dynamic). Check with your Internet Service Provider before going with OpenDNS though. Some ISPs won't allow you to use OpenDNS. There are other things you can do as well. If you are pretty sure you know the IP address of certain sites and there is only one IP address, then add them to your hosts file to completely protect you from DNS cache server poisoning.

Web site owners should: Do not depend on the ISP to keep uninfected copies of your pages. You really should have a complete copy of your web sites in a safe place. This is called backup! Sure you can complain, but using ftp to shove a clean version of the page or files back into place over the infected file may help (we are going to add OpenPGP signatures to our downloads soon). Actually, I have scripts that use wget to pull down the pages and contrast them with what I have and notify me of any differences.

ISPs should: NEVER run outdated web software. The only machines with bigger bulls-eyes on their chests than ones web servers are DNS servers.

Six days to handle the problem? We had a WMF infecting site in the UK that stayed in our blocking hosts files for over NINE MONTHS! A newer version of that cyber.wmf file is now being pumped out again (we block the site that does it). Stop pointing the finger at others until YOU have done what YOU can do to protect YOURSELF. But I really do think people providing web servers for others have an obligation to keep them as up to date as possible, and legal legislation may be needed to get this done.

Posted by: hhhobbit | May 24, 2007 10:21 PM | Report abuse

Re: Netscape

OOPS! No slight was intended against Netscape. It is also a good browser. Netscape just needs to stop doing full system scans (let Spybot S & D, or other Spyware programs do that) and asking you to reinstall the browser you just installed which is brand new because you just pulled it down! More to the point, Netscape also needs to make as many of the plug-ins that work in Firefox also work in Netscape. But Netscape's primary responsibility is to take care of their major turf which is to keep up with the dynamic number of hosts that can harm you in their browser's restricted lists. I would also be happier if I could tell the browser "please check for updates RIGHT NOW!" It goes without saying that users should also NOT take the browser defaults but cinch the security settings on the browser down. Unlike the other browsers, that requires almost no changes in Netscape. My browsers dump EVERYTHING when I close them and they don't keep passwords, etc. My passwords are stored in separate OpenGPG encrypted files. That way if there is a hole in the browser that miscreants could take advantage of it does them no good because there isn't anything there anyway.

Posted by: hhhobbit | May 24, 2007 11:10 PM | Report abuse

I have to laugh when I see posts like this. Especially when the comments switch to using this or that browser.

Brian, and others, have done a great service to uncover a company with extremely bad (to say the least) business practices.

The solution is simple... Pull the plug on IPOWER. Problem solved! When IPOWER can show they have their business in order, they can open shop again.

This is _exactly_ why we need strong Federal regulation and government oversight, so there is the power to step in and shutdown those feeding malware into the Internet.

Really quite simple.

Posted by: BadBusiness | May 25, 2007 10:20 AM | Report abuse

Personally, I see this as more of a web site owner issue. While I agree that an ISP or Web Host should keep up to date on bug fixes / security patches and updates for primary services, it's not always that simple.

As a much smaller web host, I often see customers who upload insecure scripts, use weak passwords or even defaults, allow inexperienced amateurs to "design" their website in an attempt to save money, etc. etc. At times I wish that a website owners were required to take a security course for certification before being allowed to put up a website. I realize that this doesn't address the entire problem, but from my perspective, it certainly couldn't hurt!

That being said, I hope that this exposure raises awareness of ISP and web hosts that they need to do their part to squelch this type of abuse.

Posted by: whpromo | May 25, 2007 12:39 PM | Report abuse

Thanks for finally highlighting the issues with IPOWER. This isn't news though, they've hosted a large percentage of compromised sites going back well over a year. I investigated a customer's compromised site in June '06, and found that a good percentage of the sites on the same server were also compromised. I contacted the SANS Internet Storm Center at that time and they didn't even want to post something about it because they had gone through this so many times with IPOWER that it wasn't worth the effort. IPOWER's usual response is to blame the site owner for using a weak password, but I suspect the more likely culprit is the vulnerable versions of software that IPOWER is using, not the passwords their users are using.

Posted by: meyerc13 | May 25, 2007 1:38 PM | Report abuse

dijit44 wrote:

"Off topic, but, we received a critical update from Microsoft (at least I hope it was Microsoft) overnight Tuesday (May 22). Not a, "Patch Day," so it seemed strange, and it seems even stranger you have yet to mention it.
Any idea what's up?"

--

If you received this "critical update" via email, then it's fraudulent.

Posted by: David | May 29, 2007 2:52 PM | Report abuse

Great article Brian Krebs. By reading it and the statements above I use to think what would happend if a car would do the same as the internet does. (i. e. driving where it would like and not the driver !) According to the wholes at world wide web I think that it is easy for whoever wants to hack, while the "default" words of each computer are eaqual!
tagesclaus

Posted by: Tagesclaus | June 4, 2007 8:33 AM | Report abuse

All this discussion and not one mention of where to report a malicious or fraudulent site. what about an international internet fraud organization. I tried to start a site with web1000 but couldnt upload anything, now im wondering if it was a phishing site

You mentioned cookies this is the worst site ive visited so far for collecting cookies with 6 to 9 requests per mouse click

Posted by: Mat | June 9, 2007 1:02 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company