For search engine optimization and increased distribution, pornography and malware distributors commonly hack websites (interestingly, Google’s work in marking sites as “unsafe” in search results may be contributing to this trend, as it is driving malware and porn distributors to rely increasingly on hacking good sites to perform redirections to their own bad sites).
It’s rampant. And it’s most troubling because a lot of these are happening on .edu and .gov sites. Finding these hacked sites is trivial. Simply search for terms like “sex”, “porn”, “free ringtones”, “free”, “casino”, “‘sesso” “gratuito” “porno”, “fottilo”, etc., combined with the operator Site:edu or site:gov (if you’re going to do this, be very careful with these links — they often push malware). Some of the stuff is just comment spam. But plenty is real live redirects.
What we’re also seeing is a lot of DNS hacks. For example, take the City of Plainsville, Kansas (warning: graphic content):
God what a mess. These people are so hosed it’s beyond belief. And those links push malware.
Now, let’s take a closer look. If you we do a simple dns lookup on cityofplainville-ks.gov, we get an IP 72.22.69.138. However, if we do a dns lookup on, for example, 2.z.cityofplainville-ks.gov, we get an IP of 89.28.13.214. This same pattern will show itself on a number of other sites. And they are always the fault of the web hosting provider.
Fair warning.
Alex Eckelberry
(thanks Francesco)