CyberInsecure.com

Daily cyber threats and internet security news alerts
April 19th, 2008

Compromised Museum Website Infecting Image Search Referred Visitors

Websense Security Labs research has uncovered a case where a museum’s compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. The malicious content is served only when the referrers for the request are certain high-profile image search sites. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered.

When searching with one of these high-profile sites for images that reside on another site, attempting to view one of the images would provide malicious content rather than the intended page content. If, however, another search engine was used to look for the same image, the proper content was delivered. For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, without the malicious redirect.

So far, the image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web: images.google.com, images.search.yahoo.com, www.altavista.com/image/default, search.live.com/images.

The attackers do not appear to be doing this based on any referrer that contains the word ‘image’, because other image search sites that contain that word, do not produce the same results. It appears that the attacker is targeting certain image search engines, and obfuscating their activity in cases when the request is coming from anywhere else.

It seems the museum’s page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, this may have been done to increase the site’s search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • del.icio.us
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • Facebook
  • LinkedIn
More on CyberInsecure:
  • Malaysian Kaspersky Antivirus Website Has Been Hacked In An SQL Injection Attack
  • SQL Attacks Still Inject Websites Including Government Sites In US, UK
  • Football Might Get You Infected
  • TorrentSpy Closed By The Owners
  • Infect Your Own Website Visitors For Russian Cash

    • Posted in Hacked, Malware | Print This Post Print This Post

    This entry was posted on Saturday, April 19th, 2008 at 9:46 am and is filed under Hacked, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Compromised Museum Website Infecting Image Search Referred Visitors

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « « WordPress Parameter Directory Traversal Vulnerability
    Phishing Attacks Doubled In UK » »