Diluted Thinking

in Australian healthcare

AVSN: Privacy Concerns over Website Hack

Editor's Note: All information gathered for this post was done so legally and responsibly. No more than one page was fetched at a time using a web browser, curl or wget. I made no effort to mask my activity except to change my user-agent to Googlebot when testing results of the pharma hack. I made no attempt to login to any area of the web server. My activity will be clearly visible in log files with an IP located in Germany and operating system FreeBSD.

30 Dec 2012: update at end of page

Background

The AVSN's website uses Apache web server. The main website used Joomla for content management up until April 2012 and then changed to Wordpress. The AVSN blog, No Compulsory Vaccination, uses Wordpress and has been hosted at Blogspot; the AVSN's web server; and is currently hosted at wordpress.com A Joomla chronoform is used for the Reaction Report Form and Joomla is still installed on the server. Some pages from earlier versions of the AVSN's website that relate to donations and magazine advertising are still accessible at avn.org.au (I guess for people who may have bookmarked old pages). An entire version of their website from many years ago is still viewable at avn.org.au

Hacked

During 2012 Google search results for the AVSN started showing advertising for pharmaceutical products in the title and page description. Clicking on a search result would take the user to the correct AVSN website page.

This is due to the notorious pharma hack, whereby hackers compromise a website's server to inject code for the purpose of hijacking that website's google ranking for their own sites. All platforms are potentially vulnerable to this hack and Joomla and Wordpress are both considered easy targets due to their popularity and the number of installations that include vulnerable and/or outdated plugins and themes.

A user browsing an infected site will not see any evidence of the pharma hack. To view the result of the injected code you need to fetch a page with the user-agent set as googlebot. In addition to altering the title, meta keywords and description in the page header, the hack injects thousands of keywords and dozens of links relating to their own sites into the page header to boost their Google ranking.

Example of altered title, meta keywords and description in the AVSN's index page:

User-agent: web browser
<meta name="description" content="Because every issue has two sides">
<meta name="keywords" content="wordpress, c.bavota, magazine flow, custom theme, themes.bavotasan.com, premium themes">
<title>Australian Vaccination Network, Inc | Because every issue has two sides</title>
User-agent: Googlebot
<meta name="description" content="Buy Propecia Online No Prescription Needed, Buy Propecia 1mg ^ Purchase With No Prescription">
<meta name="keywords" content="Buy, Propecia, Online, No, Prescription, Needed, Buy, Propecia, 1mg, ">
<title>Buy Propecia Online No Prescription Needed, Buy Propecia 1mg ^ Online No Prescription Paypal </title>

As of December 2012 nearly all Google search results show altered titles and page descriptions and clicking on any link initially calls the AVSN url in the result but the user finds they are immediately redirected to a pharma website instead.

Links to AVSN pages from non-Google sites are probably unaffected as the redirection appears to only be active if the referrer is Google. The AVSN shop is hosted on a separate ecommerce site and appears unaffected.

image: excert of page created by
hackers
Excerpt of page created by the hackers
However, when downloading pages from the AVSN's website, I noticed that some saved files had been created by the hackers.

In the directory googleb2448b77c07dbcd5-html pages were created that only contained pharma spam content.

This directory is unusual in that google site verification only needs a file of that name to be placed in the root directory of the website; the directory is not required. I don't know whether the hackers have created this directory using the google site verification filename to make it look harmless, or if the website administrator created it in error. The actual google site verification file on the AVN website is in the correct location.

Files created include index.html?share=digg and index.html?share=email

Trying to view these pages on the AVSN website with a web browser results in page not found.

At the end of these pages was a list of links that would have appeared in a genuine, but old, AVSN page. The links were coded to go to the correct pages except for one which was coded to go to a pharma-related site.

It is clearly evident that the pharma hack has compromised more than just Joomla and Wordpress on the AVSN's web server. It may simply be a rewritten .htaccess file or a worst case scenario is the Apache web server itself has been compromised.

Privacy Concerns

According to some security specialists, the pharma hack rarely contains malware; the hackers intent is only to improve search engine rankings.

This is a dangerous assumption for any website administrator to make. Once you are aware of one server compromise you should assume that other compromises now exist. The pharma hack can be planted in a variety of ways. The most common are Joomla and Wordpress plugin/theme vulnerabilities but some sites have been infected with the pharma hack through user/password credentials being obtained. A responsible site administrator should not dismiss this possibility even if a vulnerability is found elsewhere.

Nearly all pharma hacks contain backdoors allowing a site to be reinfected after the user believes the site is clean. The most common advice from security specialists in cleaning an infected site is to blow the entire thing away, including the web server software, and start again from scratch.

Other likely compromises from the pharma hackers - or others exploiting a now visibly compromised machine - is to harvest all information such as personal information for identity theft or email addresses that are sent via the web server through online forms, etc. Other compromises include setting up the infected server as a repository for pornography or illegal material.

The most serious aspect of the AVSN web server being hacked is their online Reaction Report Form. This form asks for confidential health information to be supplied, including the full-name of child/adult, contact details, medical symptoms and medical history. There is no way of knowing that the information sent via this form is not also being sent to hackers, unless you can be absolutely confident that you have found every compromise on the server (and security specialists tell us you are highly unlikely to do so, hence their advice to blow away the entire installation and start afresh).

How long has privacy been at risk?

The next question that needs to be asked is how long has the AVSN web server been compromised? The pharma hack first became obvious in Google search results shortly after the AVSN's main site changed over to Wordpress for content management in April 2012.

Using date ranges in a Google search with particular keywords, the earliest result I obtained was 15 Dec 2011:

image: google result showing pharma hackGoogle result dated 15 Dec 2011 showing pharma hack
I am not sure how accurate Google's date range search is in regard to the page description information or the actual date; for the purpose of this discussion I am assuming that it's close enough. A particular Google search result in March 2012 carried a warning from Google "This site may be compromised":
image: google result showing pharma hackGoogle result dated 2 March 2012 showing pharma hack

Other search results for this period also carried site warnings. It is my opinion that there is a strong likelihood that the AVSN was aware of the hack at this time and that was the impetus in early April for the change to Wordpress. Unfortunately, it takes considerably more effort than this to rid a server of this hack.

I think it reasonable, and responsible, to assume that the AVSN's website has been infected for all of 2012. The AVSN now has a duty of care, and possibly a legislative requirement, to notify every user that submitted information via the site that their information may not have been secure.

Ignoring the hacking issue for a moment, it is important to note that information in the Reaction Report Form is sent unencrypted anyway. At the very least this form should only be available via a secure https connection. I do not know how the AVSN receives the content of this form; whether it is stored on the server for retrieval later or emailed to them. Either way, the form contents should only be sent to and from the server via a secure (encrypted) connection. God forbid that the contents of this form is stored anywhere on the server in its present state.

The AVSN has been aware of this hack for at least 7 months and probably longer. Their first action should have been to take the website offline until it was fixed. If they insist on leaving a hacked server online they must acknowledge the privacy implications of doing so by immediately removing all pages of their website that accept user input and they need to inform all users who previously sent information via the website that their information may have been intercepted by hackers.

Update: 30 December 2012

Proof the AVSN was aware of hack in April 2012

This post by Meryl Dorey to a wordpress forum proves that:
Hi,

I run a website that is not hosted on wordpress (my blogs are but i needed more plugins for the site) and last night, someone tried to change the email for the admin account (I got the email message this morning when I woke up) and when I went to my user accounts, there was a new account set up there which I did not set up!

I don't see that anything on the site has changed but I'm wondering if there is a log file somewhere that I can check to see what changes were made and if the ip address of the person who set up that account had been captured.

I have changed all passwords to make them stronger, but I was hoping someone would have suggestions for how to increase the security of my website which is self-hosted as well as for my blogs which are on wordpress.com.

The non-profit organisation that I run has attracted a lot of attacks from hackers in the past so any suggestions would be really appreciated.

Thanks,
Meryl

Note: A google search gives a date of 27 April 2012 for this post.

This is so much more than just a spamware compromise. A user account was created which means anything could have been done to the server. You must assume that a backdoor was installed so deletion of this user account will have little or no bearing on the server's future security.

Once you have proof of this level of compromise the only fix is to wipe the lot and start over with a fresh installation of everything.

And yes, as of today the website is still compromised and accepting confidential health information via an online form.

Update: 9 February 2013

In late January the AVSN's website was down for about a week, then was offline again on 7 February 2013. As of 8 February 2013, there is no longer any outward evidence of the pharma hack. However, the AVSN did not wipe the server which is recommended for this hack and is especially crucial when you know hackers managed to create a user account on the system. Therefore, from a security point of view, one should assume that this server is still compromised until the entire system is wiped and rebuilt.