CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 19th, 2008

Compromised Museum Website Infecting Image Search Referred Visitors

Websense Security Labs research has uncovered a case where a museum’s compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. The malicious content is served only when the referrers for the request are certain high-profile image search sites. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered.

When searching with one of these high-profile sites for images that reside on another site, attempting to view one of the images would provide malicious content rather than the intended page content. If, however, another search engine was used to look for the same image, the proper content was delivered. For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, without the malicious redirect.

So far, the image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web: images.google.com, images.search.yahoo.com, www.altavista.com/image/default, search.live.com/images.

The attackers do not appear to be doing this based on any referrer that contains the word ‘image’, because other image search sites that contain that word, do not produce the same results. It appears that the attacker is targeting certain image search engines, and obfuscating their activity in cases when the request is coming from anywhere else.

It seems the museum’s page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, this may have been done to increase the site’s search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content.

Share this item with others:

More on CyberInsecure:
  • Website Of Peugeot In Romania Peugeot.com.ro Compromised, Infecting Visitors With Malware
  • Fiat.com.sg Web Site Compromised, Infecting Site Visitors With Malicious Code
  • Malaysian Kaspersky Antivirus Website Has Been Hacked In An SQL Injection Attack
  • SQL Attacks Still Inject Websites Including Government Sites In US, UK
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker

    • Posted in Hacked, Malware | Print This Post Print This Post

    This entry was posted on Saturday, April 19th, 2008 at 9:46 am and is filed under Hacked, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Compromised Museum Website Infecting Image Search Referred Visitors

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »