msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Introduction to Website Parasites

   14 Apr 10   Filed in General, Unmask Parasites

Wikipedia defines Parasitism as a “type of symbiotic relationship between organisms of different species in which one, the parasite, benefits from a prolonged, close association with the other, the host, which is harmed.”

This definition perfectly describes relationships between hackers and legitimate websites. As it often happens in real life, the host (legitimate website and its owner) may be completely unaware of parasites until the harmful effect becomes obvious (e.g. drops in traffic, lost search engine rankings, site gets blacklisted, etc. ). And it doesn’t matter how big or small your site is and how malicious the hack is – this is the sort of relationships where parasites (hackers) always win and legitimate websites always lose.

As a webmaster, you can be more effective at detecting and mitigating parasitic activities if you know how hackers can benefit from your site .

Types of website parasitism

  1. Parasitism on existing site traffic
  2. Parasitism on search traffic
  3. Parasitism on sites search engine ranking (Black-hat SEO)
  4. Parasitism on server resources

1. Parasitism on existing site traffic.

How hackers benefit from a prolonged, close association with compromised websites?
If hackers incorporate some malicious content into legitimate websites, they can expose all visitors to those sites to their attacks. This is very cost effective since the infection process is fully automated (infected computers-zombies do all the dirty work) and they get all the traffic of compromised websites for free (while it is not free for the site owners who pay for hosting, create content, pay for ads, etc.). Since the cost of website infection is very low, hackers are targeting every website regardless of its size and content. This way they have infected thousands of web sites and millions of web pages.

Examples:

How compromised websites are harmed?

  • sites get blacklisted
  • lose traffic (blocked by security tools or redirected by malware)
  • lose reputation when visitors see AV and Safe-Browsing warnings.
  • as a result, they lose sales and revenues from ads.

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers target only site visitors who come from search engines. This way they make the hack detection more difficult to site owners who rarely need search engine to open their own websites. In this case, hackers are the only ones who benefit from site owners’ efforts to improve search engine rankings.

Examples:

  • .htaccess redirects – On Apache-powered sites, hackers inject conditional rewrite rules to redirect traffic from major search engine to malicious sites (usually to scareware sites).
    Posts about attacks that use malicious .htaccess redirects.
  • PHP redirects – injected PHP code can redirect searchers to third-party pay-per-click search engines that share revenue with hackers (example).

How compromised websites are harmed?

  • regardless of search engine rankings, compromised websites don’t receive any visitors from search engines (they are immediately redirected to third-party websites)
  • eventually, sites get blacklisted
  • lose natural traffic (blocked by security tools)
  • lose reputation when visitors see AV and Safe-Browsing warnings in search results.
  • as a result, they lose sales and revenues from ads.

3. Parasitism on sites search engine ranking (Black-hat SEO)

How hackers benefit from a prolonged, close association with compromised websites?

The more descriptive links from reputable sites point to some web page the higher its ranking for relevant keywords. This principle is abused by hackers who inject spammy links into legitimate websites to promote their shady web resources (online stores selling counterfeit and pirated goods, porn sites, scam sites). In this case, hackers benefit from existing search engine ranking (PR) and authority of the compromised sites that they share with the spammy sites.

Examples:

  • Hidden links – the most simple attack that injects malicious links into legitimate webpages and uses HTML tricks to make them invisible to human visitors.
    Posts about attacks that inject hidden links
  • Cloaking – more elaborate attacks, that serve different versions of web pages to normal visitors (legitimate web pages) and to search engine spiders (either modified web pages with injected spammy links or completely different spammy pages) . A lot of reputable sites have been affected by this sort of parasites:
    “Cheap Vista” or Cloaked Spam on High-Profile Sites
    Anti-Pirates Unknowingly Promote Pirates
  • Rogue 301 redirects – When Google sees redirects with the 301 status code, it thinks that a website has permanently moved to another location. So it updates the site listing with the new location. Moreover, the new site automatically gains ranking of the original site. To steal ranking and search traffic from legitimate sites, hackers create conditional redirect rules (either in .htaccess files or in PHP scripts) that return the 301 status code along with the address of a malicious site for requests from search engine spiders. You can read the following posts about such attacks and their consequences:
    Exploit Redirects Googlebot to Malware Sites (Bablo me uk).
    Stats Anomaly Reveals Website Security Issues.

How compromised websites are harmed?

  • The increased number of links dilutes the SEO value of web pages, which makes legitimate links less valuable SEO-wise.
  • Black-hat SEO tricks inevitably lead to penalties and exclusion from search results, which usually means drop in traffic and revenues.
  • Hidden links may affect contextual ads on compromised sites.
  • Cloaked content makes it to site description in search results and people who search for you site name may see something like “Viagra Online – Buy Viagra Online – Cheapest Viagra On The Net” or even something pornographic next to your site link. Such thing can only harm your reputation (especially for sites of schools, churches, reputable international organizations – which I see quite often).
  • Cloaked content replaces legitimate content in search index, and compromised web sites can no longer be found using relevant keywords.

4. Parasitism on server resources.

How hackers benefit from a prolonged, close association with compromised websites?

Sometimes hackers are not interested in existing content, ranking of compromised websites and their visitors. All they need is free web space and server resources – something that they can share with hacked legitimate websites whose owners unknowingly pay the bills both for themselves and for hackers.

Examples:

  • Rogue pages – Deep in sub-directories of legitimate websites, hackers create thousands of web pages optimized for specific keywords to poison search results on major search engines. (usually something related to breaking news or some relatively unpopular keywords from the long tail – either way they have good chances to make it to the first page of search results). Once search engines index those rogue pages and start to send search traffic their way (it usually only take a few hours) the pages start to expose visitors to some malicious content (usually redirects to scareware sites) :
    Rogue blogs redirect search traffic to bogus AV sites. Part 1.
    Bety.php – osCommerce Hack. Part 1.
    Bety.php Hack. Part 2. Black Hats in Action.
    Internals of Rogue Blogs
  • Phishing – To steal sensitive personal information hackers create rogue web pages that look exactly as login pages of banks and popular services (e.g. Facebook, PayPal, GMail, etc). When they send out tons of spam emails asking people, for example, to change their passwords (I bet you received such emails) and specifying a link to that phishing page on a hacked site. As a result of such phishing campaigns, some people may not notice the forgery and provide hackers with their logins and passwords. And the hacked sites make it into blacklists of anti-phishing organizations…
  • Gumblar – One of the most elaborate malware attack – Gumblar – tries to use compromised websites to the fullest. Not only does it inject malicious scripts into legitimate web pages, it also creates subdirectories with binary exploits and malicious scripts that hackers use to infect visitors to other sites. Moreover, the backdoor scripts on infected sites are used to break into new sites and infect them. Gumblar-infected sites act as zombies of some botnet.
    Revenge of Gumblar Zombies
    List of Gumblar Zombie URLs
    More…
  • Koobface – This attack, that primarily targets users of social networking sites, creates scripts in subdirectories of hacked legitimate sites that redirect victims of the attack further to malicious web pages on infected computers.
  • Reverse proxies on port 8080 – To protect central malicious servers and keep them invisible to security researchers, hackers hide the real sources of badness behind reverse proxies on compromised web servers. Most hidden iframes with URLs that use port 8080 are just reverse proxies that behind the scenes pull the malicious content from secret servers.
    One of such reverse proxies
    Attacks that use such reverse proxies:
    Dynamic DNS and Botnet of Zombie Web Servers
    From Hidden Iframes to Obfuscated Scripts
    Quicksilver Malware Network

How compromised websites are harmed?

  • Sites get blacklisted because of malicious content they host.
  • Sites can be excluded from search results if hackers create spammy pages there.
  • Sites can be marked as phishing sites.
  • Everything above leads to traffic and revenue drops
  • Rogue content may exhaust site quotas and slow down server performance.
  • And after all, site owners pay for resource overage incurred by hacker activity.

Non-parasites

Not all hacker attacks are parasitic in their nature (which doesn’t make them less malicious, of course)

  • Defacement – hackers replace/change legitimate content of websites to show everyone that the sites have been hacked. Usually it’s just a malicious mischief. It doesn’t involve prolonged and close relationship with hacked sites.
  • DoS/DDos attacksdenial-of-service attacks try to render targeted websites/servers unavailable, exhausting their computational resources with floods of external requests. The goal of such attacks is usually either to get rid off unwanted sites (competitors, rivals, etc.) or to have site owners pay some ransom to stop the attack. While DoS attack may be quite prolonged (and last several weeks), they are completely external and don’t involve any close association with the the targeted sites.
  • Theft – Sometimes hackers break into websites to steal some protected information (e.g. database of clients) or access premium content without paying for it.

Make knowledgeable decisions

Now that you know why hackers break into legitimate websites and how they use them, you can make knowledgeable decisions about how to detect the hacks and what tools you should use. E.g. to find injected iframes and malicious scripts you should thoroughly look through the HTML code of your web pages; to detect cloaking, you should check what Google has indexed on your site; to detect redirects from search results, you should try to spoof the Referer HTTP header with tools like wget, etc.

Unmask Parasites

To provide webmasters with a more universal, quick and secure way to check their sites for signs of hacker activity I created Unmask Parasites online service. It evolved during the last two years and proved to be a good starting point for detecting various types of website parasites: hidden links, iframes, malicious scripts, cloaking and conditional redirects.

It’s the tool that can help reveal the problem you were not aware of or provide a hint on where to look (or not to look) for the source of security problems you investigate. And it’s all in less than 30 seconds. Of course, Unmask Parasites can’t detect or correctly identify every security problem, but it’s just a first step in your investigation and you should have other more specialized tools in your toolkit as well.

If you haven’t tried Unmask Parasites yet, it’s time to click this link and check your site for parasites.

Build awareness

Did you learn anything new about website security threats? If yes, show this article to your fellow webmasters. The more we – webmasters – know about hackers, the less chance they have of exploiting our sites behind our backs.

Have your say

Do you have any other examples of parasitic activities of hackers? I would love to hear about them. Your comments are welcome.

Related posts:

Reader's Comments (6)

  1. |

    [...] "Wikipedia defines Parasitism as a “type of symbiotic relationship between organisms of different species in which one, the parasite, benefits from a prolonged, close association with the other, the host, which is harmed.” This definition perfectly describes relationships between hackers and legitimate websites. As it often happens in real life, the host (legitimate website and its owner) may be completely unaware of parasites until the harmful effect becomes obvious (e.g. drops in traffic, lost search engine rankings, site gets blacklisted, etc. ). And it doesn’t matter how big or small your site is and how malicious the hack is – this is the sort of relationships where parasites (hackers) always win and legitimate websites always lose. As a webmaster, you can be more effective at detecting and mitigating parasitic activities if you know how hackers can benefit from your site ." – Content courtesy of Introduction to Website Parasites | Unmask Parasites. Blog. [...]

  2. |

    great post…always good to learn how hackers hack your website so you can protect yourself.

  3. |

    [...] Shared Introduction to Website Parasites | Unmask Parasites. Blog.. [...]

  4. |

    This is an amazing resource thank you. So important to be aware of the security issues and these definitions are really thoughtful and useful, book-marking this page now!

    Thank you!

  5. |

    Thanks for pointing out the rogue 301 requests, had forgotten about the problem of these. Made me have a check through some sites

  6. |

    [...] Effectively, this way hackers can hijack search results of a legitimate web site. Now bad-site.com has all the search traffic of good-hacked-site.com, and good-hacked-site.com is no longer visible in search results. Typical parasites. [...]