\nScammers publish ads for hacking services on government websites<\/br>
\n2023-06-02 21:43:50<\/br><\/p>\n
Scammers have published<\/span> various advertisements for hacking services on the official websites of multiple U.S. state, county and local governments, a federal agency, as well as numerous universities.<\/p>\n The advertisements were contained in PDF files uploaded to official .gov websites belonging to the state governments of California, North Carolina, New Hampshire, Ohio, Washington and Wyoming; St. Louis County in Minnesota, Franklin County in Ohio, Sussex County in Delaware; the town of Johns Creek in Georgia; and the federal Administration for Community Living.<\/p>\n Scammers also uploaded similar ads on the .edu websites of several universities: UC Berkeley, Stanford, Yale, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan Community College, University of Washington, University of Pennsylvania, University of Texas Southwestern, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Community Colleges of Spokane, Empire State University, Smithsonian Institution, Oregon State University, University of Buckingham in the U.K., and Universidad Del Norte in Colombia.<\/p>\n Apart from .gov and .edu sites, other victims include Spain\u2019s Red Cross; the defense contractor and aerospace manufacturer Rockwell Collins \u2014 part of Collins Aerospace and a subsidiary of the defense giant Raytheon; and an Ireland-based tourism company.<\/p>\n The PDFs link to several different websites, some of them advertising services that claim to be able to hack into Instagram, Facebook and Snapchat accounts; services to cheat in video games; and services to create fake followers.<\/p>\n \u201cBEST way to Hack Insta 2021,\u201d one PDF read. \u201cIf you are looking to hack Instagram account (either yours which you got locked out from or your friend), InstaHacker is the right place to look for. We, at InstaHacker, provides our users with easy Instagram hack solutions that are safe and completely free from any malicious intentions [sic<\/em> throughout].\u201d<\/p>\n Some of the documents have dates that suggest they may have been online for years.<\/p>\n These advertisements were found by John Scott-Railton, a senior researcher at the Citizen Lab. It\u2019s unclear if the sites he found \u2014 and we have listed \u2014 are a complete list of the sites affected by this massive spam campaign. And given how many websites were displaying very similar advertisements, the same group or individual may be behind them all.<\/p>\n \u201cSEO PDF uploads are like opportunistic infections that flourish when your immune system is suppressed. They show up when you have misconfigured services, unpatched CMS [content management system] bugs, and other security problems,\u201d said Scott-Railton.<\/p>\n While this campaign seems to be complex, massive and at the same time a seemingly harmless SEO play to promote scam services, malicious hackers could have exploited the same flaws to do much more damage, according to Scott-Railton.<\/p>\n \u201cIn this case the PDFs they uploaded just had text pointing to a scam service that might also be malicious as far as we know, but they could very well have uploaded PDFs with malicious contents,\u201d he said. \u201cOr malicious links.\u201d<\/p>\n Zee Zaman, a spokesperson for U.S. cybersecurity agency, CISA said that the agency \u201cis aware of apparent compromises to certain government and university websites to host search engine optimization (SEO) spam. We are coordinating with potentially impacted entities and offering assistance as needed.\u201d<\/p>\n TechCrunch inspected some of the websites advertised in the PDFs, and they appear to be part of a convoluted scheme to generate money through click-fraud. The cybercriminals appear to be using open source tools to create popups to verify that the visitor is a human, but are actually generating money in the background. A review of the websites\u2019 source code suggests the hacking services as advertised are likely fake, despite at least one of the sites displaying the profile pictures and names of alleged victims.<\/p>\n Several victims told TechCrunch that these incidents are not necessarily signs of a breach, but rather the result of scammers exploiting a flaw in online forms or a content management system (CMS) software, which allowed them to upload the PDFs to their sites.<\/p>\n Representatives for three of the victims \u2014 the town of Johns Creek in Georgia, the University of Washington, and Community Colleges of Spokane \u2014 all said that the issue was with a content management system called Kentico CMS.<\/p>\n It\u2019s not entirely clear how all of the sites were affected. But representatives of two different victims, the California Department of Fish and Wildlife and University of Buckingham in the U.K., described techniques that appear to be the same, but without mentioning Kentico.<\/p>\n \u201cIt appears an external person took advantage of one of our reporting mechanisms to upload PDFs instead of pictures,\u201d David Perez, a cybersecurity specialist at the California Department of Fish and Wildlife told TechCrunch.<\/p>\n The department has several pages<\/a> where citizens can report sightings of poaching and injured animals, among other issues. The department\u2019s deputy director of communications Jordan Traverso said that there was a misconfigured form in the page to report sick or dead bats, but the site \u201cwas not actually compromised\u201d and the issue was resolved and the department removed the documents.<\/p>\n Roger Perkins, a spokesperson for the University of Buckingham, said that \u201cthese pages are not the result of hacking but are old \u2018bad pages\u2019 resulting from the use of a form \u2014 basically they\u2019re spam and are now in the process of being removed [\u2026] there was a public-facing form (no longer in existence) that these people took advantage of.\u201d<\/p>\n Tori Pettis, a spokesperson for the Washington Fire Commissioners Association, one of the affected agencies, told TechCrunch that the files have been removed. Pettis said she was not sure whether the issue was with Kentico, and that \u201cthe site hasn\u2019t been hacked, however, there was a vulnerability which was previously allowing new members to upload files into their accounts before the profile was completed.\u201d<\/p>\n Jennifer Chapman, senior communications manager at the town of Johns Creek, said that \u201cwe worked with our hosting company to remove the PDFs in question and resolve the issue.\u201d<\/p>\n Ann Mosher, public affairs officer for the Administration for Community Living, said the pages \u201chave been taken down.\u201d<\/p>\n Leslie Sepuka, the associate director of university communications at the University of California San Diego, said that \u201cunauthorized PDFs were uploaded to this site. The files have been removed and changes have been made to prevent further unauthorized access. All users with access to the website have also been asked to reset their passwords.\u201d<\/p>\n Victor Balta, spokesperson for the University of Washington, said \u201cthe issue appears to have stemmed from an out-of-date and vulnerable plugin module on the website, which allowed for content to be uploaded into a public space.\u201d The spokesperson added that, \u201cthere is no indication of any deeper impact or compromise of access or data within the relative system.\u201d<\/p>\n Balta attributed the issue to Kentico.<\/p>\n Thomas Ingle, director of technology services at Community Colleges of Spokane, said that the problem was a Windows Server running Kentico, and that \u201cwe had documents uploaded (in this case the PDF you referenced) that other servers that were hijacked were pointing to.\u201d<\/p>\n Janet Gilmore, a spokesperson for UC Berkeley, said: \u201cThere was a vulnerability found on this website,\u201d referring to the site where the hacking ads were posted, and that the issue was rectified \u201cto prevent this from happening again in the future.\u201d<\/p>\n The rest of the named organizations did not respond to TechCrunch\u2019s inquiries. Several calls and emails to Kentico Software went unreturned.<\/p>\n The ultimate damage of this spam campaign is and will end up being minimal, but having the ability to upload content to .gov websites would be concerning, not just for the .gov websites in question, but for the whole U.S. government.<\/p>\n It has already happened. In 2020, Iranian hackers broke into a U.S. city\u2019s website<\/a> with the apparent goal of altering the vote counts. And elections officials have expressed concern<\/a> for hackers hacking into election-related websites.<\/p>\n<\/p><\/div>\n <\/br><\/br><\/br><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/techcrunch.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-01-at-4.31.43-PM.jpg?resize=990%2C548&ssl=1\")
<\/p>\n