Tel: (312) 929-0912
29 E. Madison St., Ste. 1108, Chicago, IL 60602

Spammers Hijack University Servers

A Google search of the Internet domains of Harvard, Stanford and UC Berkeley yielded unexpected results – websites selling an assortment of drugs, including cut-rate antibiotics and Viagra.

Why are top-ranked research universities from the Bay Area to the Bay State promoting what appear to be online pharmacies?

Because criminals see an opportunity to take over poorly maintained academic websites and reap the benefits of their online reputations and the Web traffic that comes with it. It’s a form of “parasite hosting,” and reports of such Web spam go back to at least 2007.

Search engines such as Google or Yahoo rank websites based, in part, on how reputable they appear to be. By secretly glomming onto a prominent university’s domain name, scammers are attempting to make their own websites look reputable to a search engine, giving them a higher ranking on search pages than they would otherwise get. A higher ranking brings more traffic and potentially more money.

“One way to do that is by reputation theft,” said Sam Bowne, a professor at City College of San Francisco who teaches computer networking and ethical hacking. “You hack someone’s site, like an .edu, and you get it to pair with your site.”

The scam succeeds by flying under the radar. The typical Web surfer searching for Harvard’s website, for example, won’t be redirected to a Viagra outlet.

But it is not without danger. In some cases, the sca

m has been used to spread malware or convince phishing victims of the legitimacy of fraudulent emails, said Andrew Shotland, LocalSEOGuide.com’s chief executive.

The schools try to stamp out the scam when it arises. But in a way, it is a result of how universities build their sprawling domains on the Web.

High-value information – like staff personnel records – is closely guarded. But the schools keep elements of their Web presence relatively open to allow faculty, staff and students to collaborate online. They don’t think “reputation theft” poses enough of a threat to the school to wall off their sites entirely.

“There is this optics game that’s being played where, of course, it’s embarrassing,” said Paul Rivers, UC Berkeley’s chief information security officer. “But is it actually harmful? No. Is it something that we will absolutely respond to? Yes it is.”

A Google spokeswoman said that while the search engine has algorithms to detect spam and take action, sometimes people succeed in gaming those algorithms to trick their way to the top of search results. She did not provide any numbers on the frequency of such scams, or how often they have occurred.

To see the scam in action, Google “site:harvard.edu canadian pharmacy.” Up pop links to a pharmacy, with the university’s Web domain included in its address.

Bowne said that he notified 70 affected organizations of such problems in late April. Only about a quarter of them, including the University of Georgia and Johns Hopkins, had addressed the issues, according to a list on his blog.

Representatives from Brown and Harvard, which Bowne called out in a blog post, did not respond to emails requesting comment.

As for the “Canadian pharmacy” whose pages are linked to the Harvard domain, it probably isn’t located in Canada. An customer service employee said he and his company were in London. He indicated they operate multiple websites before hanging up.

The website’s “About Us” section said all the “generic medicines” sold on it are shipped from India and approved by the “Indian FDA.”

The Chronicle in May separately identified similar issues affecting websites hosted by Berkeley and Stanford. Both universities remedied the problems after being contacted by a reporter.

“We are aware of the phenomenon, and unfortunately, it is an ongoing challenge in many universities and other large decentralized organizations with extensive Web presences,” Brad Hayward, Stanford’s senior director of strategic communication, said via email.

The university actively works to identify and remediate such issues, according to Hayward.

Hacking college-hosted servers in order to drive traffic is part of a much larger family of fraud, said Ryan Kalember, a senior vice president of cybersecurity strategy at Proofpoint, a cloud-security company in Sunnyvale.

Criminals and search-engine optimization firms used similar tactics from the early 2000s until the middle of that decade, according to Kalember. One tactic, called backlining, involves paying the webmasters of popular sites to post hyperlinks to less popular domains in order to lift their Google search results.

The way to game the Google search algorithm – which guides people to the content that they’re seeking – was straightforward and well known, Kalember said.

“It wasn’t by creating quality content, which it is now,” Kalember said. But the improvements that Google made “essentially drove innovation throughout cybercrime.”

Those improvements specifically penalized sites that employed such dubious practices by lowering their page ratings. This forced criminals to be more discreet.

For those that practice such black hat tactics, it’s slash and burn, said Shotland, also a regular columnist for industry news website Search Engine Land.

“The problem with these schemes is they tend not to last long,” he said.

Search can mean millions of dollars for a business, directing consumers to a well-ranked e-commerce site without having to pay for advertising.

“Most of the people I deal with want no part of this thing, because it’s too risky,” said Shotland, referencing the chance of a website owner getting caught and losing out on search rank. “It’s totally against what Google wants you to do, right?”

Bowne said he’s been researching the issue for about 2 years. He identified this latest group of colleges and other reputable organizations as part of preparation for a class he’s teaching next semester on securing Web applications.

They are examples of what not to do when it comes to protecting websites.

“I’d really like to get this cleaned up for infected sites,” Bowne said, adding that he’d happily do it for free, “because I’d really like more malware samples and more evidence of how this happens.”

Even so, the risk to a university is low. No one is stealing personal information, as that data is stored securely and separately from the public websites affected, said Rivers of UC Berkeley.

He added that college networks are more susceptible to such vandalism because they are more open by design, allowing students, professors and other academics free reign to conduct experiments.

“What is more important, maintaining that character or stopping something far down the harm spectrum, like the pharma ad?” Rivers said. “To me, the answer there is clear: We maintain the openness of Berkeley because that is far more important to the mission that is UC Berkeley.”

San Francisco Chronicle

  • 3 Jun, 2016
  • Posted by admin
  • 1 Tags
  • 0 Comments

CATEGORIES Front Page Recent News

COMMENTS