Today my boss couldn’t get to a website. Turns out, our WebBlocker service classified it as a Compromised Website. Great! Our WatchGuard Firebox was doing a good job. However, my boss knew the site, and the people behind it, so he wanted to know what was wrong with it.
A quick check on our Security Portal confirmed the classification, and csi.websense.com provided the reason: Injection.Black_SEO.Web.RTSS.
I’ve seen this before, so I knew what to expect. I created a WebBlocker exception for myself, allowing me to get to the site for a little research. It didn’t take too much time to find what I was looking for:
Viewing the HTML source code on the site’s home page, I quickly found some additional code that the site owners probably aren’t aware of. The injected code is designed to “invisibly” open certain links without visually displaying much to a visitor. The goal of this type of attack is to falsely improve these links’ search engine results, since every user visiting this site will unknowingly open these injected links as well. This attack technique is some times called blackhat search engine optimization (SEO).
While this is a relatively harmless example of HTML injection (since it’s not trying to execute code on a victim’s computer), the presence of the unwanted code certainly means that someone has unauthorized access to this site. Unfortunately, until the site owners clean up this injected code, WebBlocker will continue to prevent users from visiting it. You could create an exception to allow the site, but I don’t recommend it. While the attackers have only exploited this site for SEO Injection today, tomorrow they could use it to redirect visitors to a drive-by-download, maybe even leveraging underground toolkits like the Angler Exploit Kit.
Without knowing exactly how the attackers injected this code, I can’t give web masters specific secure development tips (other than visit OWASP.org for general web development best practices). However, I can share one universal tip. Don’t consider your web site “build and forget.” You need to at least control access to your site’s code, and regularly monitor it for code changes so you can identify this sort of malicious injection quickly.
— Rob Collins