Breach Aftermath: Hijacked Sites

Wednesday, February 8, 2012 @ 04:02 PM gHale


DreamHost notified its customers the firm suffered a data breach and with a quick turnaround the information went out and attackers were able to compromise and redirect visitors to a Russian scam.

Quite a few sites hosted by DreamHost that contained a PHP file designed to redirect users to a scam page, said researchers from cloud security vendor Zscaler.

RELATED STORIES
User Alert: Brute Force Attacks on Rise
Wireless Flaw Allows Easy PIN Access
Enhanced Security for Cloud Computing
Wireless Sensors Collect Water Data

The scam site, otvetvam.com, advertises a “make money from home” scam by displaying several fake testimonials allegedly written by people who already made a lot of money.

The site looks so real that even the Google ads lead to a YouTube-style site that promotes other schemes, more precisely an online gambling site.

Otvetvam.com replicates a popular Russian site, mail.ru, to make everything more legitimate looking. Furthermore, other malicious domains just came online to serve the same purpose, the cybercriminals probably planning ahead for when security solutions providers will start blocking their domains.

At the time when they discovered the breach, DreamHost advised users to make sure they change their passwords, but it turns out that not everyone followed their advice and the cyber bad guys already made good use of the leaked information.

DreamHost customers should follow the steps recommended by the company to make sure their assets remain secure. Passwords must reset as soon as possible to prevent any unfortunate incidents.

The possibility that hackers already changed some of the passwords exists. Another possibility is the cyber masterminds altered the websites before the passwords were reset, which means that website administrators should check their webpages to see if the malicious PHP file exists.

The PHP file doesn’t have a clearly defined name, but it looks something similar to tyiueg.php, polzin.php, gyrewnv.php, or fgjke.php.



One Response to “Breach Aftermath: Hijacked Sites”

  1. jeremyhanmer says:

    As VP of Security at DreamHost, I’d like to reassure everyone out there that we have seen zero cases any user compromises as a result of our password breach from a few weeks ago. From what we’ve been able to uncover, this string of intrusions is not only not unique to DreamHost but stems from mostly already-compromised PHP-based sites. Like most web hosting providers, recent exploits such as the Timthumb exploit from last year are continuing to be a problem for our customers. At DreamHost, our free mod_security offering does prevent around 50,000 attacks every day from hitting customer websites – but there is always more to do.


Leave a Reply

You must be logged in to post a comment.