 |
Date published: Mon, 8 Feb 2010 23:38:00 PST Details
|
 |
|  | Major university servers being used to facilitate spam, some of it illegal. |  |  |  |
 | What do Purdue University, Cornell U, Iowas State U, Texas Tech U, Kansas State U, (etc) have in common? Hint, it has nothing to do with education or sports. They're all advertising Viagra for sell online and don't know it. Some are also advertising something much worse.
Until recently spammers were content to use automated bot programs to surf the Internet looking for email addresses to spam. There have been always been individual spammers cluttering up message boards, listservs, and chat rooms. But now spammers have started paying low wage off-shore labor to surf the web and post their clutter where ever they can. Because this is very labor intensive (compared to automated bot programs) and the payback per ad viewer is generally very low (below 1% of people viewing Viagra spam ads are dumb enough to order this way) the spammers are going where the labor is very cheap. China, Vietnam, Philippines, Indonesia and some of the previous east block countries are the big players in this game. All they need is a very low end computer, an Internet connection, and someone willing to work for pennies per hour.
Though college kids would certainly jump at the chance to get paid to surf the Internet even they won't work cheap enough to make this worth the spammers time. So how do the above listed universities fit in to this? Spammers have found orphaned applications at these universities that allow them to mask their activities from human eyes and spam fighting software.
In some cases the application is a long forgotten message board that no one has used in years (some haven't had a legitimate message posted to them since 1998). The spammer uses this message board to post advertising for Viagra, etc. They then pay the cheap labor to post links to these ads at message bulletin boards, usenet forums, in user news submission forms, comment forms, etc. The posting may be something as simple as "nice site", or "interesting story" and include a link to the ad. Spammers will also include links to these ads in standard email spam. The fact that the ad is hosted on a major universities server may trick more people on clicking on the link. It can also trick anti-spam programs in to allowing the email through to the end-user. The cheap labor also creates thousands of ad pages on these university systems so that the spam email messages don't always contain the same link. This is another technique used to help defeat spam filters.
Another orphaned program useful to spammers and phishers is called Persistent Uniform Resource Locator (PURL). PURL allows them to create a redirection URL that looks like its hosted on the university's server but in fact when visited the user is redirected to another URL on an entirely different server. So when you see a comment left by some kid in China that includes a link to visit http://purl.lib.majoru.edu/sororityhouse you're actually redirected to a Viagra ad on a server hosted in Russia. Of course you thought the comment was left by Tiffany at MajorU. The recent versions of PURL can use access control lists (ACL's) so only authorized people and groups can add or modify redirect URL's. Either the systems below are using a very old version or chose not to implement any security, thus allowing anyone to create the redirects on their system. In either case this should be fixed.
Orphaned online applications are dangerous. Most were put up by people with good intentions long before the Internet became as hazardous as it is today. None have been patched or updated in years which means some have vulnerabilities that allow them to be easily hacked. Spammers often take complete control of some of these applications allowing them to hide their tracks.
All of the Universities above (and many more) are being used to facilitate spam such as Viagra ads. Some are being used to help phishing scams. A few are being used to host ads for porn (including ads for child porn, though it is unclear whether the links actually take people to child porn or are simply enticements to regular porn or to a phishing scheme. We're certainly not clicking on the links to find out and we have notified authorities).
Below are some of the universities hosting compromised and orphaned applications. Some of the URL's point to the message listings, if this could not be readily located the link is to one of the actual ad messages. Though all of the below URL's have been tested caution should still be used since the bad guys may change the content at any time (the link for Appalachian State University has been removed and authorities notified since it professes to be selling child pornography):
|  |
Translate to:
 |
Latest NIST.org news and comments |
 |
 |
 |
|
 |

| Training / Books
»Security Certifications - » CISSP, SSCP, Security+, etc.
»Computer Forensics
»Ethical Hacking
»Malware, Spyware, Viruses
»FISMA Compliance, Policies, etc
»PKI, Encryption, Smartcards
»Windows Security Guides
»HIPAA, SOX, CISP, etc.
|
NIST.org Security Bookstore
|
 |
 |
Our news can be syndicated by using these rss feeds.
|
 |
|