14 DAY TRIAL // Spammers have exploited a cPanel vulnerability at a hosting company in order to abuse high profile domains belonging to educational, financial and public institutions.
The compromises began in April 2010 at Hostmonster, an Utah-based hosting company owned by Bluehost, and lasted until earlier this month
Bluehost co-founder Danny Ashworth told Krebs on Security that an attacker exploited the vulnerability to create rogue subdomains on dozens of domain names hosted by the company.
The subdomains pointed to pages used in black hat search engine optimization (BHSEO) campaigns to poison search results.
This method involves creating pages filled with keywords for a particular search topic, a technique referred to as keyword stuffing, on domains with a solid PageRank.
According to Krebs on Security, the affected domains included accessbank.com, a financial institution in Nebraska; bankler.com, the U.S. Senate Whitewater Committee's investigative tax accountant; ejercito.mil.do, the Army of the Dominican Republic; sacmetrofire.ca.gov, the Sacramento Metropolitan Fire District, and wi.edu, The Wright Institute.
The spammer was able to create subdomains between April and July 2010, when the company addressed the security issue, but they remained online until recently.
"We added and altered some security measures in July for another issue that we found which also fixed the CPanel bug that allowed this exploit to take place, [and] although it did not allow additional records to be created/altered, it did not remove the entries that existed," Ashworth said.
In this attack the pages served as doorways to rogue online pharmacies, but in other circumstances, they can lead to scareware, fake programs that pose as legit security applications.
Cloud security vendor Zscaler recently warned about a wave of hijacked domains including .EDU and .GOV ones that were abused to promote online pirated software stores.