Collaborative survey on compromised websites

Posted on November 23, 2011 - 13:09 by ccondon

If you've been following us this past week, you may have seen a few blips about a survey we're conducting together with Commtouch on compromised websites. It's fairly common knowledge at this point that legitimate websites are frequently compromised by malicious actors and used to host malware. Infosecurity Magazine yesterday talked with Commtouch about a recent scam that used spam email campaigns and social engineering  to convince users that their "Delta airlines booking was rejected." The emails used compromised sites as destination URLs to complete the scam and infect end users' computers.

It would be a great Thanksgiving present for us to go even a day without seeing dozens of legitimate sites that have been compromised without their owners' knowledge. Unfortunately, we're not there yet, but one of the best defenses the Web ecosystem has is information—and the sharing of that information. As one of our community forum moderators says, "Silence is a hacker's best friend," and shared knowledge is one weapon we'll brandish readily.

With that, we'll get to the point: if you're a site owner whose site has been compromised, please take a minute or so to answer a few quick questions about what happened, how you found out, and how your site was used. We're not collecting any identifying information (e.g., your name, email, or IP address), just the answers you provide and the date. A few fast answers about your experience can make a difference in the way we and others help defend the Internet ecosystem from badware and its distributors. 

Take the survey here!

A very happy and safe Thanksgiving to all of you in the U.S., and an equally happy and safe non-Thanksgiving to everyone outside the U.S. We're grateful for a lot of things this holiday, and the outstanding participation, collaboration, and feedback we receive from our community is at the top of our list.

A new form of script injection

The good people at Armorize recently discovered and analyzed a new form of script injection, which they have dubbed "Mass Meshing Injection." The unique characteristic of this new attack is that each compromised site loads a malicious script from a different compromised site, thus the "mesh" effect. According to Armorize, many of the compromised sites had not yet been picked up by major blacklists, including Google's, as of the date of the blog post.

According to Armorize, the telltale signs that a site has been compromised are the presence of a <script> tag pointing to somedomain/sidename.js within the website's contents, and two files injected in the site's root folder: sidename.js and wpcomplate.php.

Based on what we've read, it seems that sites that remove the above-mentioned files and tags often find themselves reinfected shortly thereafter, and there may be a backdoor in play.

We're asking the StopBadware community to help us become a resource for tracking this attack and helping site owners clean their sites of it. If you know more about this attack or new variations about it, please share them with the community. You can do so by posting to or adding a comment here. If you have a lot to say, you may propose a guest blog post by emailing us at contact<at>stopbadware<dot>org. (Note: no guest blog posts containing product or service promotions will be accepted.)