Cenzic 232 Patent
Paid Advertising
web application security lab

.EDU Hacks And Ambulance Chasing

I struggled a lot with this over the last few weeks as I thought about it more and more. I’ve known for a very long time that the SEO guys were hacking .edu websites to increase their pagerank for keywords. By getting .edu (which ranks higher than .com for instance because the domains are old and highly connected) to link to a site with the right keywords, Google is tricked into thinking the site is of higher value. Yes, Google’s algorithm really is that simple to get around, which is why there is a lot of garbage in their index now. It just took a while for the bad guys to get a large enough mass of hacked sites.

So I started messing around with search strings that would help me identify highly probably hacked sites and poof - within a few minutes I had dozens upon dozens of high value compromises:

inurl:.edu viagra
inurl:.edu cialis
inurl:.edu phentermine

There are millions of variants of these keywords phrases and their ilk across far greater masses of domains, but this should give you an idea of what’s possible. Some of them are truly amazingly bad. So I took it upon myself to start emailing a few that weren’t on this list but that were just as bad. You may or may not be surprised that I got almost no responses whatsoever. In fact, I only got one that was accusing me of spamming and/or ambulance chasing. Ugh! Talk about a way to make a guy want to quit being a good citizen.

But this brings up an interesting problem. Who exactly are the Internet cops? Some would argue that stopbadware which is heavily sponsored by Google is the equivalent. But it clearly sucks - given that all these were found within Google’s own index. What is the right way to alert a company that they’ve been compromised? Is it even worth bothering? Is my own site going to be viewed as a spam site with links like those above? What an ugly problem!

20 Responses to “.EDU Hacks And Ambulance Chasing”

  1. StarliteShadow Says:

    Don’t give up the crusade. But surely, if any website is being operated and maintained - it would have been noticed long before google indexed it.. or at least - if it was that popular on google, the index would rapidly remove it.

    Its sort of like having your office broken into and waiting for your next door neighbour to tell you he saw the trash man there, because you haven’t been in in three weeks.

  2. Dan Philpott Says:

    Good question. Obvious answer is as far as protecting against these types of soft crimes there are no internet cops, only internet vigilantes. It would be hard to frame an argument for any one government enforcing national laws across an international arena.

    The best place would be in an international non-profit that could act as a trusted arbiter of discovered incidents and act in a strict advisory role. They could review submitted incidents and report them to the appropriate authorities/system owners.

    Any of a dozen organizations would be appropriate but might lack the organizational will or mandate to act in this capacity. OWASP, W3C, Open Security Foundation, WAST, Spamhaus and ISOC all spring to mind. But a purpose built project might be the best option as it avoids mission conflicts with current organizational goals.

  3. Jonah Stein Says:

    Sadly, the answer is going to be to create some sort of sub set of the internet which is trusted and let others continue to operate outside of that arena. The underlying issue of identity, trust and reputation will need to emerge to validate a trusted internet is basically the next iteration of PageRank, one that relies on the actions & affirmation of known human beings 0to provide the social voting mechanism that is now provided by PR and other trust signals Google and other search engines are using.

    Google is constantly striving to measure trust…but as the author points out, the algo fails and even when it eventually catches up, what is left is a huge trail of virtual blight; sites spammed, hacked and turned to wastelands in the attempt to manipulate the outcome of search results. The blame belongs both to the spammer and the search engines who made them into inviting targets without doing anything to fund their defense.

  4. Khlss Says:

    Keep up the good work! - Lazy admin’s don’t like the light!

  5. Skuld Says:

    You say you got almost no response, but did they do anything about the problem? I have reported some shells that I have found on edu domains using google and while I didn’t get any emails back, they did take down the shells.

  6. sancho Says:

    Stopbadware is a non-profit run by Harvard and Oxford. Goog and a few other companies support it though.

  7. rvdh Says:

    Since they are .edu it’s kinda hard to filter them away since a lot of medical research points to .edu, including those keywords which are medical as well as spam. Pretty difficult problem to solve imho. Interesting for sure.

  8. A Smith Says:

    Too late, certain anti-virus solutions already blacklist this site as it is.

  9. Black Says:

    We sure can make out a legit .edu site from a spammy site. Host information can always help.

  10. dusoft Says:

    Google has started to sedn emails to the owners (domain owners) of the hacked websites as to inform them.

    However, you are wrong in the “SEO point” - Google does not give precedence to .edu domains over .com. Basically, .edu domains are so old, have plenty of back links from other websites with plenty of back-links that .edu domains are authority themselves. No need to give precedence and you are just plain wrong saying that Google algo is that simple/stupid.

  11. Tom Nash Says:

    @dusoft is right. Although it is theorised that .edu, .gov, etc sites are treated favourably, it is more likely their SERP performance is due to the authority such domains have acquired over time.

    Saying that, a well principled argument is that these domains have a level of “trust” attributed to them which makes their external links more valuable. The thinking being that: A government website is only likely to link to highly valuable informational sources (not spam) and so the target URL’s are afforded these characteristics also

  12. RSnake Says:

    @Dan Philpott - I see where you’re going with that. It may be a good side project. I’ll have to think about that one.

    @skuld - only the one who contacted me, so far.

    @dusoft @Tom Nash - I stand corrected. Perhaps I was noticing the effect of the domains, rather than the algo itself. Either way, I stand by saying it is at minimum an extremely weak algo, since the bad guys figured out such an easy way around it. If a human can tell it’s spam within a second of looking at the source code, Google’s algo should be able to too, in my opinion. The interesting consequence of Google’s algo, incidentally, is that they essentially caused those .edus to get hacked. There would be no reason to put spammy ads on those sites if it weren’t for the way Google’s algo was written.

  13. Tom Says:

    Were you e-mailing the *owners* of the sites (e.g. professors) or the sysadmins at the school? I’ve emailed sysadmins before when I’ve been targeted for brute-force cracking, and they generally are very happy to lay the smackdown down on a student for abusing their network. Likewise, I have a friend in college IT, and she would be perfectly happy to shut down a professor’s webpage until they secure it.

  14. Sam Bowne Says:

    Thanks for this very interesting find!

    When reporting vulnerabilities like this, I have learned that it is useless to contact companies as a stranger. The most effective way to do it is to go through a friend-of-a-friend system, so the report is treated seriously and not dismissed as spam. That system does not scale well, however. Each company must be given a lot of individual attention.

    However, I found some interesting sites with this technique that are directly connected to my own college, and I’ll put my CISSP students to work documenting them and reporting them to the companies involved. I hope to get good results that way.

  15. Isaacson Says:

    Thanks for the heads up on this and for fighting the good fight. Don’t get discouraged!

  16. Gia Says:

    I independently developed, designed, and maintain a site for a local school. I have had security problems similar to this, and in fact, some worse. Even though the school board is aware of the problem, they have refused to allow me to initiate any action, such as having an independent security audit performed or consulting with an outside programmer, to secure the site.

    Given the current threat landscape, their lack of action is irresponsible.

    Does it boil down to politics? Money? Ignorance? I really don’t know.

  17. Robert Chapin Says:

    I think the answer is right under their noses.

    They already have this “search wiki” feature that allows registered users to delete specific URLs from search results. They just need to crank that up so end users can remove entire paths and domains from their screens. After a while, data mine the most frequently deleted sites and paths, correlate them with porn/pharma/gambling keywords, and boom you’ve got yourself a massive anti-spam heuristic.

    Ironically, search results within search results seem to be one of the fastest growing forms of spam. Google needs to clamp down on that too.

  18. Eric Says:

    @Jonah Stein

    The Internet has no cops, and of course the search engines are easily manipulated eventually. This reminds me that Facebook plans to take over the world. At first, this sounds as evil to me at Google taking over the world, but Facebook tends to take security very seriously, you have built in social enforcement (I have yet to see any real spam pages on Facebook with thousands of fans - would love to see this in action) and they are a private company which can simply kill a spam page if enough reports are filed.

    I have seen lots of wall spam, but at the same time, someone can easily respond and say it spam and the page owner can easily delete it.

    I was watching CNBC one day listening to some Facebook exec/high-up talking about how Facebook would be an Internet inside and Internet, where you would never have to leave the safety of the Internet. Not only does that sound like a cash cow, but it makes me wonder if it could create a safer Internet (of course also one where they could potentially be censorship or other not-so-free tactics).

    I am truly surprised with the lack of spam pages on Facebook, and often wonder if the spammers just aren’t going there yet or if Facebook’s security team is just that good. Perhaps google will implement more social features into its search index, I am sure the lack of any authenticity and identity, as well as the high amount of spam will kill craigslist pretty soon.

  19. Matt Workman Says:

    You can send instances of website insecurities to http://www.rescuetheweb.org/ and we will contact the website owner directly.

  20. Benjamin Flesch Says:

    Thats quite old, though. It’s quite common to hack .edu pages in the so-called blackhat advertiser scene.