Sunday, April 21, 2024

Why are some*.Gov.PH websites redirecting users to gambling sites? - Manila Bulletin

Last updated Friday, December 30, 2022 22:05 ET , Source: NewsService

Here’s the thing. You did a Google search for some Gov.PH site information. But then, Google results could return search results with links like these below:

Since the site is a Gov.ph and the results come from Google, you wouldn’t be blamed for assuming that it is safe. So, you click on the circled link BUT you get to a gambling site instead!

How it all started

Eskie Maquilang, penetration testing engineer, KPMG first discovered this shocking tactic. Note: He did this in his personal capacity and as support to common friends.

Eskie noticed that hackers were triggering a lot of 403 errors (forbidden) on monitored servers. What got his attention were these URLs (uniform resource locators):

Now, why would hackers be searching for these specific files? Eskie thinks that the hackers are trying to confirm the presence of these files on your webserver. If these files existed on YOUR server/s, it meant that it was already compromised.

They or other hackers already uploaded the files via vulnerable plugins. And once the files are in your webserver, Google spiders/bots will index them. And once in the index, any search that matches it will be “served” by Google.

So how do all these files lead to gambling? These spuriously uploaded files contain the code that redirects web visitors to the hackers’ preferred sites. It also checks for the referrer link. This check will ensures that the links only work if the referrer is from Google.com or Bing.com! It doesn’t work with Duck Duck Go...

Read Full Story: https://news.google.com/__i/rss/rd/articles/CBMiXmh0dHBzOi8vbWIuY29tLnBoLzIwMjIvMTIvMzEvd2h5LWFyZS1zb21lLWdvdi1waC13ZWJzaXRlcy1yZWRpcmVjdGluZy11c2Vycy10by1nYW1ibGluZy1zaXRlcy_SAQA?oc=5

Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.