I’ve spent quite a lot of time in this journal posting about a particular group of Russian computer virus writers, starting from when I first discovered last year that my name was being used to poison Google keyword searches and drive traffic to Web sites that attempt to download malware onto computers. (Does that make me an official net.celebrity?) I’ve made it something of a hobby to follow this particular group, and have written about how they have repeatedly hacked an ISP called iPower Web to spread viruses, and how they’ve built an elaborate underground computer network to funnel traffic to virus-infected Web sites.
Along the way, they’ve changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it’s slowed to a paltry trickle…at any given time these days, there are only a couple hundred hacked Web sites living on iPower’s servers. When the post about iPower first went live last December, I was flooded with emails from folks saying “My Web site is hosted by iPower and I’ve been hacked!” and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I’m not gonna tell you what it is.)
The interesting thing about this particular computer gang is their adaptability. They’re constantly changing targets, and as time goes on their underground network grows larger and more resilient.
In the past, they’ve planted redirectors to malware sites on hacked Web servers, they’ve exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they’ve set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they’ve even created fake Google Groups to direct traffic to virus sites.
In the past couple of weeks, though, I’ve seen a whole new approach, and it’s all about exploiting open redirectors.