Early last year I wrote about the increasing amount of spam that was using hacked web servers to obfuscate the spammer’s call to action. Back then the volume was creeping up to 1% of all spam. Since we’ve been seeing even more of it lately, I decided to take a look at the figures and see what had been going on in the past six months.
The average for the six month period was 7.7% of all spam, but we have seen much higher peaks,including the recent period from December 30th through January 8th where one relentless porn spammer pushed the ratio up to 37%. The good news is that this particular spammer was sending out millions of messages a day, but only using a group of a few hundred URLs in his messages, so they are easy to block. Billions of electrons where shuffled from botnet to spam folders with almost no real impact.
This particular spammer was only uploading a single file to each hacked domain to do his redirection. Others upload multiple files to allow more URLs to be used, and we have seen some domains in which the 404 page not found response has been hacked to redirect to the spammers landing page, so the spammer can send out each spam email with a different URL. So long as they are not part of the original web site, they will redirect if the recipient clicks on them.
So how are these web sites being hacked? The majority that we see are WordPress sites, and a significant minority are Joomla. Mostly theses are sites belonging to individuals and small businesses who may have set up a site a few years ago and make very few updates, to either content or software. However, older versions of both WordPress and Joomla have some well documented vulnerabilities, so if you don’t keep your site up to date you may well be a target.
Even if you do always have the latest software in place, you can still be hacked if you install the wrong theme or plug in. Just recently in the black hat underworld, malicious code was offered for sale that allows the user to add a trojan to installable WordPress modules…
Once the user installs the innocent looking plug in, the hacker can then upload and execute arbitrary code or even use the built in redirect manager.
That was offered for sale for just $100, but sorry, it’s all sold out now.
To prevent the embarrassment of having your web site redirect to a porn site in Russia, keep your web site software up to date, be careful what themes and plug ins you install, and keep an eye on your server log for any traffic to pages you don’t recognize.