Home New PHP Site Attacks are Bypassing Search Bots

New PHP Site Attacks are Bypassing Search Bots

This morning, Fraser Howard and the security researchers of Sophos Labs are reporting this discovery: The recent wave of Web site defacement attacks, including one against the outreach site for the National Cyber Security Alliance, appear to have a common source: Something is injecting malicious <IFRAME> elements into the front pages of everyday Web servers.

What makes this particular malicious injection different from thousands of others, Howard learned, is that the injected PHP code quite cleverly checks the URL and user-agent string of the requesting client, to determine whether the client is accessing the page through a search engine link, such as Google.

The reason is because Google and others are actively monitoring the destinations of their own links for activity such as Web site redirection. When the injected code sees a search engine has generated the link, it aborts the redirection process. That keeps the client from seeing the defaced page, but it also prevents the search engine from detecting that any defacement is going on.

NCSA, which was one of the targets for the attack, runs StaySafeOnline.org, whose explicit purpose is to educate users on principles for maintaining online safety. The Alliance had already declared October “National Cyber Security Awareness Month.” Still, Howard believes NCSA may not have actually been a direct target, but rather just another random victim in a recent spike.

“The incident raises some interesting questions,” Howard writes. “Most notably the malicious content being injected into the Web pages was changing over time (sometimes a straight iframe, sometimes JavaScript). This is not what you necessarily expect for hacked sites; ordinarily, pages are injected with a fixed string (for example an iframe redirect or a script).” Instead, the injected content may take one of many forms, sometimes triggering a variety of detections from anti-virus.

What malicious users are apparently learning is that it’s counter-productive for them to be concocting massive, uniform hacks that eventually get elevated to high-alert status by Sophos and others. Rather, it’s better to stay on the down-low. Defacement attacks that may only be marginally effective at the outset, may stay effective for longer periods of time. The actual damaging effect may then be accomplished cumulatively, by bunching the marginal attacks together, and ensuring the injected content never triggers the same alerts too often.

Client-side anti-virus won’t be able to detect the <IFRAME> injection until it has already happened. So it’s more important now than ever that client-side anti-malware measures monitor the behavior of Web transactions, rather than just the effects.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.