Monday, February 18, 2008

The Continuing .Gov Blackat SEO Campaign

Just like the situation in the previous case of injecting SEO content into .gov domains, once the pages are up and running, they get actively advertised across the Web, again automatically. While bridger-mt.gov responds to 72.22.69.184, the subdomain freeporn.eee.bridger-mt.gov is pointing to another netblock, in this case 66.49.238.80, exactly the same approach was used in a previous such assessment that was however serving malware to its visitors. Here are some of the very latest such examples listed by directory :

- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages

Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"