If you don’t mow the lawn often enough, you may find unwelcome guests in your yard.
Image courtesy dnatheist.

Hosting companies are a major component of criminal resources online. Like all for-profit enterprises, cybercrime relies on solid, dependable infrastructure that will allow them to distribute viruses and other malware. While some hosting companies actively support cybercriminals by explicitly offer so-called “bullet proof hosting” environments to those looking for havens from law enforcement, many hosting companies simply turn a blind eye to cyber crime. After all, they are making profit and they are not getting in trouble for providing services to criminals, so why would they stop? A new report by HostExploit sheds light on hosting companies that likely are aware that criminals use their services to further their ends.

Of course, cybercriminals do not always pay for the services they use. A tried and true method used by online thieves is to borrow the resources of a server someone else is paying for.

How does one take over someone else’s server? The variety of techniques used are beyond the scope of this article but in the same manner a person’s home computer is likely to be infected by a virus if the software it uses is out of date, if a hosting environment is not keeping up with updates to software and applications it is running, it is more likely to be hijacked by cyber criminals because unpatched vulnerabilities exist. Just this week Google’s Matt Cutts discussed the growing threat of web server hacking in Google Webmaster Videos, saying:

I think web servers on the web are going to be exploited a lot more. The hackers are going to stop putting viruses and malware on individual people’s machines and they’re going to start attacking web servers across the entire world wide web.

So today we focus on those hosting companies that are negligent in updating their infrastructure, in essence opening the door for criminals to illicitly host their own content like illegal online pharmacies or to infect internet users’ computers. Once the users’ machines are infected, the criminals will steal banking passwords, use the computers to send spam or even participate in phishing attacks to steal money from victims’ bank accounts.

The Study

Profile of 100,000 Most Popular Websites

Cyveillance recently performed a scan of the 100,000 most popular websites on the entire internet, as defined by Alexa. (A daily listing of Alexa’s top 1 million websites can be downloaded from this page.) We simply requested the headers from each of the sites, which will return details about what systems the website’s hosting platform uses. This type of information is included virtually every time any web surfer visits any web page, so requesting it once from each site would not impose any burden on these 100,000 websites.

We then simply compared what versions of common hosting variables were used by these popular sites. We have used very conservative standards for what are acceptable, up to date versions. That being said, here’s what we learned…

Apache HTTP Server

Current Version: Version 2.2.15 is the current stable release, released four months ago according to Wikipedia.

What We Considered Out of Date and Why: Any version that was version 2.0.x is way out of date. Version 2.2 appears to have been released in the year 2007.

Internet Information Services (IIS)

Current Version: Version 7.5 was released in October 2009 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 6.0 and older. Version 6.0 was released as part of Windows Server 2003.

PHP

Current Version: Version 5.3.2 was released in March 2010 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 5.1 or older. Version 5.2.0 was released in November 2006. It’s hard to justify not upgrading in the last 3.5 years. Also note that PHP exploits are available through the software that is installed on a website (like forums, blogs, etc) and that PHP in and of itself is not a vector for attack. But PHP updates routinely include security fixes to prevent such abuse so running more recent versions is good hosting hygiene.

To recap:

Perhaps it’s also useful to know how what percentage of the top 100,000 have upgraded to the newest version.

So there is a very large percentage of sites not running up to date versions of these services. If your definition of safe is “must run the most recent version” then the web is very vulnerable indeed.

Caveats

A few items are worth mentioning.

• Sometimes a website has a bad day and for whatever reason did not return any response to our request for its headers. Stuff happens. Perhaps the site was offline, perhaps the site has a policy of not answering requests just for headers. We did not screen these out of the results because we wanted to preserve the integrity of the top 100,000 dataset. It would have been rather arbitrary to keep going deeper past the 100,000 site mark just to make up for some absentees.
• Some webmasters will modify their sites so that the headers do not reveal very much information about what systems they run. This is very clever because in the same way we scanned the sites to do a health check up on the most popular 100,000 sites, criminals will scan the web looking for out of date software to attack. The sites that did not offer any such information were not removed from our dataset.
• Also, there are certainly situations where the same “hosting environment” was found multiple times in the top 100,000 sites we polled. For instance, a good number of sites from blogspot.com, wordpress.com, etc were present. But again, we didn’t pull those out because we wanted to maintain the notion of the top 100,000 sites on the web.

Conclusion

As can be seen, a noteworthy percentage of hosting environments out there do not run very recent versions of important system components. And to reiterate, we have used generous allowances for what we considered unarguably out of date in general terms. This is especially surprising given the commercial value of sites in the 100,000 most popular sites on the entire internet. With the stiff competition to become highly-trafficked, we were surprised to see that so many of these sites have not kept up with such fundamental components to their software.

Of course, this certainly doesn’t mean that by going to these sites you will be infected with malware, or that you will visit a compromised server. What it does mean is that a significant portion of highly valuable sites are not as well protected as they should be, and that less popular sites even farther down the food chain may be even more risky because there is less monetary incentive for their owners to protect them.

We want to make clear that we are not calling out any individual site for not being up to date. There are many reasons a site may not be completely up to date with the most recent software out there. Maybe their web application was not future-proofed and would not run on newly updated versions, so they have not been able to bring things up to speed. That’s a business decision for the site owners. Maybe the site in question is a security researcher honeypot and is out of date on purpose! In any case, our aim is simply to paint a picture of the overall landscape.

What can be done?

Clearly, in the same way a computer owner regularly applies updates to the software running on his or her machine, hosting companies need to be very diligent about offering the most recent versions of the types of services we describe above. Webmasters should also only use hosting companies running up to date software. This will not only help keep the webmasters’ sites safe from hacks by cybercriminals, it promotes a healthier web for everyone if hosting companies know they lose business to more security-minded competitors.

Of course, in the same way that even a fully-patched, updated laptop can still be infected by malware, the most carefully maintained hosting environments can be compromised. Our intention is not to suggest that if a hosting company gets infected and is used to spread malware to internet users that it was negligent. Zero-day exploits are sadly not uncommon. We are suggesting that hosting environments which are not updated and get infected or compromised by cybercriminals are in fact making the internet a more dangerous place than it would be otherwise, and that action should be taken to correct the situation.

Let’s say you are travelling in your car and needed a place to eat. You come upon a town. If you knew that 10% of a town’s restaurants did not meet health code standards and that there was a nontrivial chance you could get food poisoning, would you want to eat in that town? No, we wouldn’t want to eat in that town either, and we hope for a time when the internet’s hosting environments are far safer than they are now.

Cyveillance has fought for many years against the seemingly endless barrage of counterfeit goods online, especially focusing on illegal online pharmacies (example, example, example) and even the US companies who support them.

It was especially encouraging to see the dangers of counterfeit goods covered this morning on NBC’s Today Show. Serious video coverage can also be found at CNBC. Consumer education about the dangerous risks in ordering medications online without a prescription, as well as the inferior quality of other counterfeit products is always welcomed.

While such crooks are traditionally found in the notorious 3 P’s (porn, poker, and pills) sometimes these criminals will diversify into other areas. One major illegal online pharmacy marketing group from Russia recently announced their intention to enter the fashion market:

The project is aimed at selling clothes, shoes and accessories of the most well-known brands like Gucci, Armani, Galliano, Diesel, Burberry, Calvin Klein, Gianfranco Ferre, Cartier, DelMaro, Prada, Dolce & Gabbana, Guess, Dsquared, Hugo Boss, Moschino, etc. (There are more than 100 (!) different brands presented at the site).

Because we think it unlikely that a group of illegal online pharmacy operators from Russia has signed distribution and marketing agreements with 100 legitimate brands, we believe the merchandise from this site and others in its network are most likely counterfeit.

Indeed, here is one of their sites from this new effort:

A screenshot from a website that appears to sell all counterfeit goods.

The marketers for fake or “replica” clothing sites use the old fashioned spammy tactics often associated with online pharmacies to get the word out about their websites. In these next two screen shots, you can see the comment moderation panel for this very blog, where devious marketers of counterfeit goods have submitted comments to cyveillanceblog.com in the hopes that we will publish the comment and the accompanying link to their site. (Click the images to enlarge them).

As is clear, online criminals have no intention of slowing down their illegal tactics on the internet. We look forward to a public who is more informed about the serious risks involved in counterfeit products and will continue working hard to negate the threat posed to consumers by such cybercriminals.

Rogue online pharmacies offer prescription medications to consumers without requiring a prescription, and often sell medications that are not approved by the FDA. This leaves ample opportunity for dangerous, untested and even counterfeit products to be purchased and abused by consumers.

International Drug Mart is just such an rogue online pharmacy. They will sell a large number of prescription drugs to anyone with a credit card. LegitScript, an online pharmacy verification service used by Google, Yahoo!, and Bing, has confirmed that InternationalDrugMart.com is a rogue online pharmacy due to unlawful, unsafe, or deceptive practices.

In mid-May Cyveillance wrote that International Drug Mart had employed the services of noted certificate authority Thawte, which is based in South Africa. International Drug Mart did so to give the impression that it is a reputable business and that it cares about its customers’ wellbeing. However this is a ruse and does not change the fact that dependence-forming painkillers, powerful anticancer medications and other drugs are available from International Drug Mart to anyone with a credit card.

Shortly after our publication of this information, Thawte canceled its services to International Drug Mart. Cyveillance commends Thawte for doing the right thing and withdrawing support to a business that clearly endangers the health of consumers.

Thawte’s responsible behavior was promptly mirrored by two other peers in the SSL certificate industry:

• After being denied by Thawte, International Drug Mart procured an SSL certificate from a certificate authority in the United Kingdom. Upon being informed of the nature of International Drug Mart’s business, the British certificate authority immediately canceled its service to International Drug Mart.
• After being denied by the British certificate authority, International Drug Mart procured an SSL certificate from a certificate authority in Romania. Upon being informed of the nature of International Drug Mart’s business, the Romanian certificate authority immediately canceled its service to International Drug Mart.

Now International Drug Mart has gone to Secure Trust, also known as Trustwave for its SSL certificate. (It should be noted that for quite some time, International Drug Mart has also used Trustwave’s Trusted Commerce program as well). Trustwave is based in the United States.

Cyveillance has reached out to Trustwave on multiple occasions in recent weeks. On June 22 Cyveillance received an email from a Trustwave vice president who wrote, “We have reviewed our validation of this site and it does meet all criteria to demonstrate organization control of the web domain and therefore we will not revoke the certificate at this time.”

By the logic offered in Trustwave’s response, anything on the internet, no matter what the content, is fair game for Trustwave’s services as long as the site meets certain technical requirements.

Just this week, Vice President Joe Biden offered (emphasis ours):

I applaud Google, Yahoo and Bing for the steps they’ve taken in recent weeks to stop selling advertising to illegal Internet pharmacies. But — but — we need to go further. It’s time for others to step up to, it’s time to stop supporting ads for drugs sold illegally over the Internet — and for a simple reason: for the public health of American — of our population.

The same goes for companies who support illegal Internet pharmacies in ways other than advertising. When we look at International Drug Mart, we see a site that is in clear violation of federal law and has serious potential for physical harm. We are disappointed that Trustwave, unlike its peers, does not have a problem doing business with such an organization.

Link

A story by The Plain Dealer posted on www.cleveland.com last week sheds light on the numerous issues associated with social media and the workplace. Providing real life examples of problems experienced by companies such as Petland and Nestle, the story gives an excellent overview of many of the decisions that need to be made in the implementation of a company-wide social media strategy.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.

Cyveillance recently had the opportunity to interveiw Joseph Menn, the author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, released in January 2010. Menn has reported on security and other technology issues for more than a decade at the Financial Times and the Los Angeles Times, mostly from his base in San Francisco. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism. Earlier, he won a “Best in Business” award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.

His latest nonfiction book follows two protagonists that were successful in bringing down a small group of cyber criminals. It also highlights the growing threat and active participation of organized crime syndicates in online criminal activity.

Cyveillance asked Menn for some comments on this serious problem.

Cyveillance: Your book covers a time frame from approximately 2000 through 2009. Based on the experiences of the book’s protagonists, what would you say the large scale trends in cyber crime during that time frame are?

Menn: It’s night and day. In 2000, hackers would knock down sites such as eBay and Yahoo for momentary fame. They were isolated teens or those with small circles of like-minded friends. In 2003, the first purely commercial viruses appeared, compromising tens of thousands of machines for illicit purposes. The initial motive for the people in charge was to make money by sending spam from addresses that would evade blacklists, which were growing more effective. But once they had the botnets, they began finding other ways of making money, including denial-of-service attacks for hire. They would take out a sponsor’s competitor for a price at first, but then the criminals became more enterprising and wiped out sites unless they were paid off, a freelance extortion gambit. The same gangs and bots are now engaged in mass identity theft and financial fraud against consumers and small businesses, as well as theft of trade and military secrets. By now, the vast majority of serious cyber crime is mob-related, and more than 90 per cent goes overseas.

Cyveillance: In the book both Barrett Lyon, an American citizen, and Andy Crocker, a British law enforcement officer, experienced frustration with domestic and international law enforcement’s ability to understand and take action against the cyber criminals they faced. Why do you think this is, and has the situation improved? If you think it has not improved, what do you think needs to change in law enforcement to more effectively take on sophisticated cyber crime?

Menn: Cyber crime cases are hard to prove. The Internet might as well have been designed with plausible deniability in mind. And law enforcement cooperation is hard to get even from allies, due to logistical issues, differing priorities and varying laws. But the overarching problem, which nobody in power wants to talk about, is that the worst of the worst are knowingly protected by corrupt governments or those that view the mobsters as intelligence assets or strategic weapons. The enforcement outlook has not improved substantially, while the crime has gotten much worse over the years. Britain, which during the period in the book was well ahead of US efforts overseas, has gone backward with the dismantling of the National Hi-Tech Crime Unit. The only ray of light is that people inside the Obama administration are paying more attention and thinking about the issue.

Cyveillance: How would you describe the connection between the cyber criminals described in your book and with traditional organized crime?

Menn: In Russia, both petty criminals and legitimate business owners typically need a “roof”, or mob patron, to whom they pay tribute in exchange for fending off other criminals and officials looking for bribes. So even independent hacking rings, once they got large, depended on traditional mobsters to perform such services. Once the old mob saw how lucrative Internet crime was, it began taking a more direct supervisory role, as it did with the Russian Business Network in St. Petersburg.

Cyveillance: The criminals in Fatal System Error were largely Russian in origin. What is it about Russia that seems to produce such sophisticated cyber criminals, and do you see that situation improving?

Menn: Russia has had first-rate math and computer education for decades. But there are limited legitimate career opportunities. In addition, crime isn’t viewed through the same moral lens we have in the West, it just isn’t seen as that bad a choice. The corruption is staggering. And now it is even worse, because the major criminal hacking groups have protection from intelligence and military wings of the national government. The same people are being used to attack Kremlin enemies, both internally and externally, including government and media sites in countries such as Estonia and Georgia.

Cyveillance: Based on your book’s findings and other accounts, there appears to be casual if not formal links between the Russian government and the online criminal enterprise known as the Russian Business Network. While botnets that are under the control of groups like the RBN are harmful by definition, is it your belief that the weaponization of criminal resources reportedly found here is an isolated incident, or is this a growing risk from other governments?

Menn: It is a pattern that is spreading. The second most serious threat comes from China. Hacking there has evolved the other way, beginning with state-sponsored and patriotic attacks and now with a major profit motive as well. Criminal outfits with bot networks may look for personal financial data first, but they share commercial and military goodies with the officials who protect them.

Cyveillance: If there is one lesson from Fatal System Error, what is it?

Menn: The internet as we have come to use it–for financial and business activities–cannot survive without drastic action that is highly unlikely to occur. We need to make the protection of criminals a major diplomatic priority, and we need massive funding for an opt-in protocol more secure than TCP/IP.

Cyveillance: Thank you for your time. Any other thoughts you would like to add?

Menn: I’ve covered cybersecurity for almost a dozen years at major newspapers. Since 2004, I’ve been convinced the topic needed a thorough but also entertaining book on the subject. I got very lucky in finding heroes like Barrett, who infiltrated both Russian and Gambino cyber-mob operations, and Andy, who was nearly killed while conducting the most successful West-Russian collaborative prosecution of hackers in history, yet had never told his story. With the New Yorker comparing Fatal System Error to Stieg Larsson’s trilogy and Slashdot saying it’s on par with The Cuckoo’s Egg, I feel I accomplished what I set out to do.

Many thanks to Menn for taking the time to answer our questions.

When technology and policy move forward they have the opportunity to make healthcare more efficient. But we must be prepared for the hijacking of legitimate healthcare efforts online by cyber criminals.

Two recent news articles feature topics that will quickly be abused by marketers for illegal pharmacies trying to make a buck.

• This May post New DEA rule touted as boost for e-prescribing from HealthCareITNews covered “the electronic prescription, also known as ‘e-prescribing’ of controlled substances”.
• On Sunday the New York Times discussed telemedicine in their article The Doctor Will See You Now. Please Log On. The piece describes communication using “face-to-face telemedicine, connecting doctors and patients by two-way video”.

Knowing that consumers will be searching more for terms like e-prescription and telemedicine as they become more commonplace, criminals will increasingly attempt to attract searchers to their sites. Their expertise in diverting traffic will mean that unknowing consumers will find themselves on sites where they can buy prescription medications with no prescription, some of which are not even approved by the FDA.

Cyveillance is hopeful about the increased efficiencies that technology can bring to medicine, however consumer education will be necessary as criminals will be eager to hijack the messaging around terms like ‘e-prescribing’ and telemedicine to further their rogue online pharmacy efforts. Organizations like the Food and Drug Administration and American Medical Association should increase their education efforts aimed at informing consumers about safe ways to take advantage of the internet for healthcare.

UPDATE: Thawte canceled its services to InternationalDrugMart.com in late May. Cyveillance commends Thawte for doing the right thing. More on the story here.

In our recent post covering the Canadian Health & Care Mall, we highlighted the great lengths to which illegal online pharmacies will go to present the illusion of legitimacy. Site like the Canadian Health & Care Mall will present false business locations, and falsified certificates of approval from the U.S. Food and Drug Administration to add credibility, and visitors will believe that they’ll be safe when they order medications from the site.

Another common tactic on sites like Canadian Health & Care Mall is to present fake Verisign Seals. While many consumers don’t know exactly what having a Verisign Seal means, they do know it increases the likelihood that transactions with that site are safe. So while some rogue pharmacies will go the extra step of creating fake Site Seals, unfortunately it appears that this is not always necessary, as some Site Seal issuers do not have a problem working with websites that illegally sell prescription drugs without a prescription.

This week International Drug Mart, a rogue online pharmacy that sells prescription drugs without a prescription from a medical professional, announced that it had “chosen Thawte, since it is a leading global certificate authority providing online security to millions all over the world”.

The Thawte Site Seal can be seen on the rogue online pharmacy site in this image:

…and the following image shows Thawte’s acknowledgement that International Drug Mart uses secure communications.

Unfortunately while the this rogue online pharmacy may appear to protect its customers’ payment information, the fact remains that it unlawfully and dangerously offers prescription medications to anyone with a credit card. It is surprising that a seemingly legitimate company would be knowingly associated with such a business, much less a company in the security industry. By doing so, it undermines their own credibility and diminishes consumer trust and confidence in their own site seal.

Cyveillance has reached out to Thawte for a response on the matter but has not yet received a reply. We welcome their comments.

Earlier this week the Partnership for Safe Medicines posted an interesting piece detailing how a sales affiliate of a known rogue pharmacy is using twitter to promote its offerings. That account is of course disturbing not only because it promotes a website which allows consumers to buy medicines like accutane without a prescription, but each posting on that twitter account appears to have been made in an automated fashion via twitter’s API. This suggests a level of sophistication above that of the average webmaster’s.

As troubling as these reports are, we should not be surprised. When there is money to be made, criminals will take the steps necessary to gain every advantage possible. A Russian online pharmacy network called RX Partners (also known as StimulCash) has been publishing content using social media formats for some time. Note the examples of the RX Partners blog, forum, wiki, and twitter account below.

As of this writing, there are 1,165 subscribers to their blog according to Feedburner.

The RX Partners blog offers professional advice on how to market an online pharmacy using black hat search engine optimization techniques, general advice for online pharmacy webmasters, and of course, announces their upcoming retreat for their affiliates in on the mediterranean: a four day vacation in a five star hotel in the Turkish port Antalya.

The RX Partners online forum offers English, Russian, and Spanish sections for its affiliates.

The busy, closed forum allows online pharmacy webmasters to share techniques and has over 1,300 registered users.

If you are an affiliate in the RX Partners network with technical expertise, you can contribute on their wiki.

Learn how to integrate illegal online pharmacy sales into one’s WordPress using this wiki example.

And of course, RX-Partners has its own twitter page as well. At the time of this writing they have 1,071 followers.

Don’t think their use of social media is meant only to spread information among their sales affiliates. The modern online pharmacy template from this crew encourages visitors to take advantage of social media sites to spread the word about the pharmacy itself, promoting the sale of products that have not been approved by the US Food and Drug Administration like chewable or “soft” Viagra.

Visitors to this online pharmacy are encouraged to share it with friends using Facebook, Twitter, StumbleUpon, Digg, and other popular sites.

Cyveillance endorses the Partnership for Safe Medicine’s call for internet companies to do a better job of removing unlawful content from their sites. Content like online pharmacy marketing on popular social media sites endangers a public that may be easily deceived by slick marketing but delivers a host of dangers, like counterfeit, stolen, and unapproved medicines.

Reports continue to come out about social media users who unknowingly access malware through online advertisements and/or applications. Facebook’s Farm Town is a recent example, where people who clicked on a banner ad in the game, were told that they had multiple viruses on their computer, but could eradicate them by clicking on an anti-virus link. Those people who clicked the link were exposed to a malware download and installation.

While reports like this are not new, users continue to fall victim to traps on trusted social media sites. It is time for these sites to realize the serious impact that attacks have on user confidence and make the necessary adjustments to proactively protect their users from dangerous links and ads resting on their pages.

For example, Cyveillance works with customers who use their data feeds to ensure the protection of advertiser’s brands online. These organizations understand the importance of staying one step ahead of the dangers on the Internet and utilize Cyveillance’s real-time content monitoring to deliver early warnings of potential violations. In doing so, advertisers are aware of any brand misuse online, which helps to keep Internet users protected against rogue links that may be falsely associated with the company, thus providing a safer online environment. 

As malware continues to plague social media sites, it is time for these Websites to take action. A proactive security approach will not only create a safer online environment, but also generate greater user confidence among the growing social media sites.