Hundreds of websites operated by the UK government appear to have been hacked to include links and references to illicit websites selling viagra, hardcore pornography, cialis and other dubious products.
The hacked sites, which include primary schools, universities, the DSA, Forestry Commission and various local government websites and forums, have fallen victim to a variety of exploits including cross site scripting and hackers exploiting loopholes in badly designed and outdated software.
The hacks present considerable danger to innocent members of the public who find these infected web pages via search engines or spam emails. Users trust .gov.uk websites and happily click through to the page only to have their PC infected with spyware or a virus or redirected to a website selling viagra or cialis.
Hackers take advantage of the trust that search engines such as Google place on government websites and by placing a page on these trusted domains can quickly gain top search engine rankings without the effort of creating their own website.
According to Wikipedia Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007. Often during an attack “everything looks fine” to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.
Universities and Schools
The problem doesn’t restrict itself to .gov.uk domains – we found an even bigger issue with .ac.uk websites which are reserved for academic institutions such as universities and colleges. The kind of websites you might happily let your children browse unsupervised.
Perhaps even worse than this is the hacking of primary and secondary school websites which students are actively encouraged to visit. We found that over 30 domains had been infected with content that could direct children away from the safety of a school site to a third party site owned by the hacker. This could host spyware and all manner of adult content.
Action needs to be taken
All the issues discussed in this article are caused by the websites in question running insecure and badly designed software. Hackers will always try to exploit vulnerable websites and by leaving gaping holes in their security the administrators of the sites discussed are leaving themselves open to lawsuits and some very upset internet users.
How long before somebody has malware installed on their PC via one of these infected websites and sues the government for damages? A corrupted PC can be costly in terms of the time required to fix it not to mention the data which could be lost.
How to see the hacked pages
We have included numerous screenshots of the infected pages below – you can see them for yourself by performing the following search queries similar to the ones below on Google.
The hackers quite often make the text invisible on the page so you may need to click on the “Cached” link offered in the Google results and then the “Text-only version” of the cached page. An example is here.
More examples
These sites don’t need to be hacked if they allow anyone to write to them.
Instead they should require a login or have the entries checked by someone before they are made public.
I hope what I say now does not just appear without a check!
Wow, can you believe it? Those pesky hackers are something else arent they?
Diss
Indeed Brevan, we encourage visitors to leave comments on our articles but each one is individually moderated by a human being before going live on our website. The reason for us publishing this article was to raise awareness for this type of hacking which has remained undetected for too long, I am sure the list of sites we have documented is not even scratching the surface of the total number of organisations affected.
Horrible..
none of the govt sites are conscious about security.
I’d go a step further and say that virtually no commercial sites vet user input properly, hence so many SQL injection attacks, cross-site scripting and also just general profanity-laden vandalism of comments boards…
Noticed this a couple of years ago – interesting to see it’s still a problem. Generally seems to occur when gov’t/school sites use open source or collaborative software such as Plogger, but then never update it, so hackers can use security vulnerabilities to inject their links. Seems like the public sector needs some serious education about online security and the pitfalls of not keeping their software up-to-date.
Another good search to expose this kind of stuff: http://www.google.co.uk/search?q=site%3Asch.uk+levitra
this is why all opensource website software shouldn’t include a slug to the version no or what software its running on. if its great people will come anyway no reason to advertise