Friday, September 07, 2007

Hacked .gov websites

Hi folks,

A couple of days ago, our SearchShield intelligence network noticed a
bunch of .gov sites serving malware via drive-by downloaded exploits and
social engineering. The front pages of the .gov sites are seemingly not
hacked themselves, but they're hosting pages that serve it. We've
identified about a dozen poisoned sites so far, though we expect there
are many more related to this hack. The first dozen or so seem to be city governments such as lasalle, il and frenchsettlement-la.

The attacking pages seem to try one of three things. First they try an
exploit to install their malware, and if that doesn't work, they try to
trick you into installing a fake codec, and if that doesn't work, they
run a fake antispy scan, and try to convince you that your machine is
already compromised, but their software can fix it... just click the
install button.

We've made a video about it, and it's at youtube here ...

with a hires .mov here...

These particular pages were detected with adult/XXX type queries, but many innocent searches also return the sites.

We'll add more details in this blog as we go.

Cheers

Roger

Labels:

posted by tcsl @ 10:45 AM

1 Comments:

At 4:05 AM, Anonymous Anonymous said...

I work for the city of LaSalle and found these offensive files on our site after reviewing our statistics page. The files were there for about two days before being removed and would have been immediately removed had our service provider not moved our site to a new server and reset our password. After I removed the offensive files, the hacker then tried to use our web server to set up subdomains that pointed to his/her site which also seemed to be a hacked yahoo.com site. These subdomains have also been removed and an abuse report filed with the hacker's service provider. I have since changed our password and continue to monitor the site and so far no new hacker activity has been detected.

As a municipality, this action is completely offensive and disturbing, and we apologize for any problems this hacker has caused through the use of our site.

 

Post a Comment

<< Home