Vulnerable Shared Hosting Platforms Responsible for Most BHSEO Compromised Websites

An analysis of compromised websites used in black hat SEO campaigns, performed by cloud security vendor Zscaler, suggests that weakeneses in share hosting platforms are the most common attack vector.

The Zscaler researchers inspected around 1,100 websites hijacked by spammers and used to redirect visitors to scareware websites.

Such compromises usually result in rogue PHP pages with content related to hot search topics, being uploaded on the Web servers.

These pages get indexed by search engine crawlers and appear in search results, however, when users try to visit them, they get redirected to malicious sites pushing fake antivirus software.

When looking at the compromised websites, the researchers were surprised to find out that only 15% of them were built using popular open source content management solutions like WordPress, Joomla! or osCommerce.

In fact, many of them were static websites created with plain HTML, JavaScript and images. Under these circumstances, the possibility of them being hacked via SQL injection or other vulnerabilities that require server-side scripting is out of the question.

Other possible methods are compromised FTP credentials, lifted from computers infected with malware, or weaknesses on shared hosting servers, that allow, for example, neighborhood spying.

“The second possibility is the most likely. There have been mass-infections reported in the past for GoDaddy, BlueHost, Dreamhost, etc.,” writes Julien Sobrier, senior security researcher at Zscaler.

However, another surprise came from the distribution of compromise sites on hosting companies. The most affected ones were actually the small and medium-sized providers.

For example, 38% of the hijacked websites were hosted with companies which are part of the Endurance International Group. An additional 28% were hosted at BlueHost and 11% at New Dream Network.

The big players were on unexpectedly low positions. Go Daddy accounted for 2% of the compromised sites, while 1&1 under 0.5%.

In a time when compromised websites are used for all sorts of illegal activities, security should be one of the primary aspects considered when choosing a hosting solution.