Just in time for the Black Hat convention, the New York Times is reporting the discovery by Hold Security that a team of Russian Hackers have collected a total of 1.2 billion user names and passwords from 420,000 different websites, along with 542 million email addresses. Although this dwarfs the Target breach in sheer volume, the data is not as damaging. The gang that collected this information seems to be focused on spamming rather than financial fraud, and it is not clear if any of the passwords are to financial services, or if all of them are for social networks or the like. According to the NYT, “…they appear to be using the stolen information to send spam on social networks like Twitter.”
This should not come as much of a surprise to regular readers of this blog. I’ve been writing for more than two years that compromised web servers are soft targets for cyber criminals. We have seen the process of hacking websites go from a handcraft to a cottage industry, and now to full scale mass production. This particular attack used a botnet of personal computers that had been infected with malware. The malware monitored the users’ web browsing activity, and every web site they visited was tested for tested for SQL injection vulnerabilities. In case you’re not familiar with SQL injection attacks, here’s how they work.
This is only one of the ways that we see websites attacked. We see spammers getting in through brute force password attacks, vulnerabilities in content management systems, and by deliberately inserting malicious code into themes and plugins. Cloudmark detects hundreds, and often thousands of newly compromised domains every day. Compromised websites are not just used by spammers, they can launch DDoS attacks, distribute malware or facilitate click fraud. We’ve just published a blog post showing how one gang, possibly the same one, is using compromised domains to bypass security on Twitter’s t.co URL shortener. This is getting to be a serious problem, but one that is very hard to deal with.
Of those 420,000 websites, maybe a few of them are Fortune 500 companies but the vast majority of them are small businesses, churches, non-profits, hobby web sites, or personal blogs. They don’t have a security department, they don’t have a full time webmaster, most don’t even have a webmaster at all. Someone set them up once, and they have been serving pages ever since quite happily, but nobody involved with them has any idea how to prevent a security breach, or deal with one even if they are notified.
I tried a experiment to see if notifying the owners of compromised domains would help. I contacted a company the specializes in detecting and remediating compromised websites, and offered them a list of 500 compromised domains, on the understanding that they would reach out to the owners of the web sites, let them know they had a problem, and offer their remediation service, which is quite reasonably priced. I also had a control group of 500 other domains compromised at the same time where the owners were not notified. There was no statistically measurable difference in the remediation rates for the two groups.
I’ve also been working with hosting providers that have large numbers of compromised domains in their IP address space. A couple of them have shown some statistically measurable improvement. However, many of them don’t have a consistent way to deal with the data. It is a fairly time consuming process to remediate a compromised website, since there are so many attack vectors to check for and block, and so many ways the attackers could have left a back door to get back in. Most hosting companies are operating on very narrow margins, and just don’t have the resources to do this for hundreds or even thousands of compromised websites.
It would be great if the publicity around this report generates more interest in finding a more effective solution to the problem of compromised domains.