Search engine optimization and no fraud
Websites of government departments and universities in the United States, as well as some universities and private companies from Europe, have been used by hackers for several years to advertise their services and phishing sites. They placed PDF files on them with the links they needed, using the vulnerabilities found or legal forms for uploading documents. How long this went on is unknown. Experts agree that a large-scale spam campaign could well have been arranged by just one hacker.
The state and universities work for hackers
Fraudsters have for a long time used government websites to openly advertise their “services”, including hacker ones. According to TechCrunch, they worked on a grand scale, using government sites in several US states as a free advertising platform, as well as posting ads on the web portals of US universities and federal agencies, and this could go on for years. Links to such files were then displayed in search engine results.
The advertisements were contained in PDF files uploaded to official websites in the .gov domain zone. Among the victims are the state structures of the states of California, North Carolina, New Hampshire, Ohio, Washington and Wyoming, and the counties of St. Louis in Minnesota, Franklin in Ohio and Sussex in Delaware. The attackers did not bypass the official websites of departments in the city of Jones Creek (Georgia) and the portal of the Federal administration of public life (Federal admintration for Community Living).
Educational institutions have also been targeted by hackers. Spam Infected” websites of UC Berkeley, Stanford, Yale University, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan College, University of Washington, University of Pennsylvania, Texas Southwest University, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Spokane Community Colleges, Empire State University, Smithsonian Institution, and Oregon State University.
International expansion of hackers
The attackers who placed their advertisements on state websites and portals of educational institutions decided not to limit themselves to the United States alone.
For example, traces of their presence were found on the website of the University of Buckingham in the UK, that is, their area of \u200b\u200boperation covers at least North America and Europe. This is also indicated by their invisible presence on the website of the Spanish office of the Red Cross and an unnamed travel company in Ireland.
But still, the main emphasis is on the United States, and it is not yet clear what exactly this may be connected with. According to TechCrunch, the hackers were even advertised on the website of the American defense contractor and aerospace manufacturer Rockwell Collins, a subsidiary of the military-industrial giant Raytheon.
What’s hiding inside
Hackery PDF files, which somehow ended up on the websites of the listed organizations, do not pose a danger in themselves, unlike their content. They include links to various sites where users are offered to use hacking tools for popular web services on the Internet, including the ShapChat messenger and the social networks of an American billionaire banned in Russia. Mark Zuckerberg (Mark Zuckerberg).
But not everyone is interested in hacking other people’s profiles, and in order to expand the audience of potential customers, hackers also advertise other services. Among them are means for cheating in video games and services for cheating subscribers in social networks.
Such an original way of advertising hacker services became known only at the beginning of June 2023, but it seems that this scheme has been used for years. There is no conclusive evidence of this yet, but there is indirect evidence – some of the documents found have a date of creation and modification, and this, according to TechCrunch, may indicate that these files have been on servers for many years.
Technical implementation
Several hacker victims told TechCrunch that these incidents are not necessarily signs of a hack, but rather the result of scammers exploiting a vulnerability in online forms or content management system (CMS) software that allowed them to upload PDFs to their sites. Representatives of the three victims – the city of Jones Creek in Georgia, the University of Washington and Spokane Community Colleges – said that the problem was related to a content management system called Kentico CMS.
Experts have not yet figured out the entire list of methods used by hackers to upload their files to sites. But representatives from the California Department of Fish and Wildlife and the University of Buckingham in the UK described methods that appear to be the same without mentioning Kentico.
The department has several pages on its website where citizens can report incidents of poaching and injured animals, among other things. Deputy Director of Public Relations Department Jordan Traverso (Jordan Traverso) said the page was misconfigured to report sick or dead bats, but the site “wasn’t actually compromised” and the issue was resolved by the department removing the documents.
Massive spam company
Documents advertising hackers’ services were found by John Scott-Railton, senior researcher at Citizen Lab. It is not clear if the sites he found are the complete list of resources affected by this massive spam campaign – it is possible that there may be more.
Who is responsible for such a large-scale hack is still unknown. But given how many websites have shown either the same or very similar ads against their owners’ wishes, one hacker group or one person could be behind all of them.
While this campaign seems like a complex, large-scale, and at the same time seemingly harmless SEO game to promote fraudulent services, according to Scott-Railton, the attackers could have exploited the same flaws to do much more damage.
All because of money
TechCrunch reviewed some of the websites advertised in PDFs at their own risk. It turned out that this is only part of a very complicated fraudulent scheme for obtaining money through clicks. Cybercriminals seem to be using open source pop-up tools to make sure the visitor is human, but are actually making money in the background. A review of the websites’ source code suggests that the advertised hacking services are likely fake, despite the fact that at least one of the sites displays profile pictures and the names of the alleged victims.
The circuit has been tested and does not fail.
Hackers are quite capable of forcing phishing sites to advertise their services for free, far from only small government agencies and university portals, albeit world-famous ones. They are able to “recruit” the web resources of much larger organizations, for example, the European Union.
The fact that the EU site is an advertising platform for cybercriminals became known at the end of 2022. As CNews reported, it was involved in exactly the same scheme – unknown people took advantage of the legal opportunity to upload documents to the site and placed on it many files with keywords . The account went to thousands of documents, and the additional success was that, as a result, links to these files were displayed in the first lines of search results for a long time.
In fact, the hackers did not break into the EU site – they only took advantage of the function that it provided to all visitors without exception. This means that there was no violation of the law in this case.
Mysterious hackers advertise themselves for free and legally on the official website of the European Union
Hackers have started using the official website of the European Union (europa.eu) to advertise their fraudulent websites. They legally uploaded thousands of documents to it with keywords, for example, about watching new movies online, and links to dangerous sites, and now they are given out in the first lines of search results. In fact, the EU site advertises fraudulent sites for free, and, moreover, all this is within the law, so there was no hacking.
Daring but successful trick of hackers
Cybercriminals dragged the European Union into their machinations, writes portal TorrentFreak. The official web resources of the EU (europa.eu) advertise hacker sites with might and main, moreover, this happens on a completely legal basis, because no one has hacked the sites.
Search engines also play their part. As you know, they remove links to hacker and pirate sites from the issuance, but they definitely will not remove links from the issuance of links leading to the official resources of the European Union.
As a result, links to potentially dangerous sites appear in the top lines of search results.
You can’t even dream of an even better result, because many companies often make incredible efforts to get their site at least one of the first ten lines of results for the desired search query.
Everything ingenious is simple
In fact, the hackers simply found a loophole that allows them to legally turn EU sites into their advertising platform. They bulk upload keyword-heavy PDF documents to them using file submission and feedback forms.
In other words, there is nothing to blame scammers at this stage. They did not hack into anything, did not penetrate the EU computer network, but only took advantage of the site, access to which is provided to all users without exception.
Certain subsections of the EU website are the favorite of scammers. Most often, they upload documents through subsections dedicated to some EU-related organizations. Among them are the European Union Observatory for Nanomaterials (EUON) and the European Chemicals Society (ECHA).
It is not known exactly how many files the hackers managed to upload to EU sites as of December 8, 2022. TorrentFreak specialists found thousands of PDF documents leading to very dubious sites. And no one excludes that in the future there will be even more of them, even after publicity.
What does the European Union “advertise”
Documents with which hackers pump drives linked to EU sites contain calls to visit sites with free copies of the latest novelties of world cinema. In particular, they offer the film “Black Adam” and the second part of the film “Enola Holmes” that have recently been released in the world (but not in Russia).
A link to the EU site with hacker documents will be given to those who wish to watch the film online.
Advertising documents assure that you do not need to pay to watch movies, and that no one will be interested in the bank card details of someone who wants to save money on going to the cinema and force him to register.
Of course, there aren’t any films on the links that scammers palm off on gullible users. They lead to extremely dubious third-party sites that many modern antivirus systems flag as malicious. However, not everyone uses antiviruses, plus the fact that the document is uploaded to the server of the European Union can reliably lull the vigilance of even the most sophisticated user.
Goldmine
The editors of CNews found on some hacker sites information about the possibility of uploading documents with any required content to the servers of the European Union, which will subsequently be displayed in the top lines of search results. Apparently, the administrators of these servers are already aware of the problem, since, according to TorrentFreak, one of the loopholes discovered by cybercriminals has already been closed. They uploaded documents to the EU’s Joinup website by creating new accounts, but this is currently not possible. This may be a temporary measure due to the recent influx of scammers. In addition, some downloaded PDF documents have already been removed from the servers.
However, nothing prevents hackers from doing the same trick with the sites of other states and government agencies. So, by setting a precedent, those who came up with the idea of using the EU site for their fraudulent purposes probably set an example for other cybercriminals.