Monday, August 22, 2011

Website hijack example: from Brigham Young to Romaina and Belarus

update: I informed Brigham Young of the issue which was fixed for a time but now the cfacbeta site redirects again. I also submitted the tobmarket.com and business-download.com domains to hpHosts but soon after this the attacker changed the store front address to index-downloads.com. This is standard practice for malicious actors, as soon as a domain gets too hot it is easy to switch it a clean domain. This is what the intermediary controller at tobmarket.com is for.

As Zscalar pointed out there was a large campaign of .EDU web hijacking earlier this year. The purpose of the hijacking was to redirect users to fake online stores that purport to sell heavily discounted commercial software using techniques similar to those used to route people to fake online pharmacies. An excellent paper on the fake pharmacy problem was recently published by researches at the University of Cambridge.

Let's take a closer look at this, starting with the fake software stores. Here are some of the top 10 results from a Google search for “buy windows 7” in early August 2011. The red arrows indicate two fake stores which have made it into the top 10. The second one, cfacbeta.byu.edu, is a web hijack.


A more refined Google site search shows that many cfac.byu.edu pages are redirected.

 
cfac.byu.edu is the home page of the College of Fine Arts and Communications at Brigham Young University and from the look of the below page they have been working on upgrading their site and in the process may have inadvertently opened themselves up to an attack. 

Down the rabbit hole

A web hijack starts by an attacker compromising a web server and altering the site code so that users are unknowingly redirected to the attackers' website. Let's look at what happens when a user visits a compromised site.

If the Google result above is clicked, the below sequence of six HTTP packets is generated between the client and server. HTTP packet 2 redirects the user to tobmarket.com, a re-director/controller, which as shown in HTTP packet 4, redirects the user to business-download.com, the final shopfront site. If a user visits the cfacbeta.byu.edu site without clicking through Google they will see the actual site. The redirection is only triggered when the correct referer field and search terms are present within the HTTP GET request. The minimal string which triggers the redirect is.

Referer: http://www.google.com/search?q=windows

HTTP packet 1: Client to Server

GET /departments/tma/fulton-chair-menu HTTP/1.1
Host: cfacbeta.byu.edu
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: SESSb3f40867ca15d6a84ab81b0c22a576f9=d4e0d99e5fe575e3ad399de82051dec2; transpass=385f37072a55969b1d8b294e88720b3e8ba49f63; has_js=1
If-Modified-Since: Mon, 15 Aug 2011 16:58:05 GMT

HTTP packet 2: Server to client, redirect to tobmarket.com via 302 Found

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 17:14:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.10
Location: http://tobmarket.com/in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword=
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

HTTP packet 3: Client now contacts server tobmarket.com

GET /in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword= HTTP/1.1
Host: tobmarket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: SL_5_0000=_1_

HTTP packet 4:Server to client, second redirect this time to business-download.com

HTTP/1.1 302 Found
Date: Mon, 15 Aug 2011 17:12:58 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: SL_5_0000=_1_; domain=tobmarket.com; path=/; expires=Tue, 16-Aug-2011 17:12:58 GMT
Location: http://business-download.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=CP-1251

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://business-download.com'">
</head>
<body>
document moved <a href="http://business-download.com">here</a>
</body>
</html>

HTTP packet 5:Client now contact business-download.com

GET / HTTP/1.1
Host: business-download.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt

HTTP packet 6:Server to client, setting a cookie.

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 15 Aug 2011 17:14:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt; path=/
Content-Encoding: gzip


Visting the site tobmarket.com directly triggers a HTTP connection:Close packet while visiting tobmarket/in.cgi triggers the redirection to business-download.com. The registrar for tobmarket.com is Ukranian firm ukrnames.com and Whois information is masked by a privacy service. As of August 2011 the domain resolves to 95.64.58.238, a machine hosted by Voxility of Romania.


Upon clicking through business-download.com to the checkout pay site, we are sent to https:private-pay.net.


As shown above they have used SSL to make the site seem more legitimate, the site is using a real certificate issued by Certificate Authority RapidSSL/GeoTrust Inc in the United States. Many Certificate Authorities do only minimal checks on their clients so the possession of a certificate really means nothing anymore. Below is RapidSSL's home page, they make it very easy to get a certificate!
 
Whois information shows that business-download.com was registered by planetdomain.com with the fake contact details below.

Owner, Administrative Contact, Technical Contact, Billing Contact:
      Isabelle Franchet (ID00467503)
      6 Rue de la Republique
      Avignon, Provence 84000
      FR
      Phone: +33.490864978
      Email: curve@cutemail.org
 
As of August 2011 business-download.com resolves to 213.152.172.90 which also hosts business-download.net,download-sale.net and luxury-customer.net and the supposed pay site private-pay.net. All of these actually host the same fake software store.

The controller/re-director domain tobmarket.com was issued by ukrnames.com of Ukraine and has anonymous Whois records. The domain is hosted at IP address 95.64.58.238 located in Romania. This IP address also hosts the-first-five-pages.com which redirects users to tobmarket.com. Whois information for the-first-five-pages.com reveals that it too was registered with ukrnames.com but this time we are given the contact details below.

Registrant:
Vitalij Shorikov mboga12@yahoo.com
Nagornaya,78
Gomel, 246015
BELARUS
+375232724839

Now for some Google searching

Search on cutemail.org

cutemail.com is a webmail service operated by SafetyNet Systems Ltd of the UK but cutemail.org does not resolve to anything though the domain is registered with FastDomain.com. A search on cutemail.org reveals that @cutemail.org addresses have been used to register numerous malware and web hijack campaign sites including recent fake AV, money mule recruitment and fake online drug stores.

Search on +33.490864978

Reveals this to be the fax number for a hotel in France!

Search on Vitalij Shorikov, mboga12@yahoo.com or +375232724839 (actually normalized to +375.232724839)

This reveals two other domain names registered using this contact information.

belkonvert.net IP address 91.226.78.9
This is a HTTrack Website Copy of belkonvert.com. Belkonvert.com is a legitimate business site for a Minsk,Belarus advertising company. No other hosts were at this address.

tdsfree.org IP address 91.217.153.46
This returns a HTTP 403 forbidden message but this IP address also hosts the following sites.

dorotydiary.org
com-watch-id181222ooo.info
casinonewsblog.org
bradpittfanclub.org

Both bradpittfanclub.org and dorotydiary.org have recently been flagged as involved in malware distribution and fake AV campaigns as the below results from Malware Domain List show.
 
And from hphosts we can find that the whole of ASN 41390 91.217.153.0/24 RN-DATA-LV RN Data, SIA is riddled with malware sites

So there we have it, clicking on a Brigham Young University page takes a visitor on a unexpected trip to Romania  and Belarus! Following the threads further has lead us right into a nest of malware domains at 91.217.153.0/24

Be careful out there on the interwebs.....

4 comments: