ICAC suffers embarrassing web security failure

Outdated CMS means spammers are exploiting the website of the NSW Independent Commission Against Corruption

Awkward.

Awkward.

The website of the New South Wales' anti-corruption watchdog, the Independent Commission Against Corruption, is being actively exploited by spammers but the organisation seems none the wiser.

Computerworld Australia contacted ICAC earlier this week after discovering evidence that spam links designed to boost the search engine rankings of sites had apparently at some point in the recent past been present on the organisation's website.

However it is clear that the original report was wrong in one important respect: Thanks to ICAC's use of an outdated version of the Joomla content management system, spammers are continuing to actively exploit the site.

Sucuri.net's site checking tool confirms ICAC is using an outdated version of Joomla.

When contacted on 20 May about the website, a spokesperson declined to comment on whether ICAC's website had suffered from security problems in the recent past. ICAC had "no comment in relation to internet matters" the spokesperson said in an email.

The links are not visible in the source code of pages on the site when viewing them normally through a web browser.

However, when spoofing the user-agent of the browser to masquerade as the web crawler that Google uses to build its search engine index, the links can be easily viewed in the source code of the current versions of a number of pages on the ICAC website.

The kind of spam links inserted into the ICAC website.

"This type of behaviour is a strong indication that the ICAC website has been compromised by a spammer," said Ty Miller, director and founder of Threat Intelligence.

"This may have occurred via a Joomla vulnerability or a compromised Joomla account on the website. These types of hacks tend not to be malicious in nature and instead are focused on 'black hat' search engine optimisation to increase their website rankings in Google by increasing the number of links to their website."

"The attacker will have had to add some 'user-agent detection' code to some of the Joomla PHP programs," Miller said.

"This may be something along the lines of a 'check.php' script that determines if the requester is a search engine or a real web browser in order to hide its presence.

"Other techniques for injecting hidden backdoors include injecting code such as 'eval(base64_decode(...))' that automatically decodes the Base64 encoded backdoor and executes it on the web server that subsequently checks whether the requester is a search engine or not. This code may be found in areas such as infected Joomla template files."

Threat Intelligence's Ty Miller

A Google search using the phrase 'site:http://www.icac.nsw.gov.au/' and the name of a popular pharmaceutical used to promote male performance in the bedroom returns more than 2000 hits from the ICAC domain.

"PHP-based content management systems are a popular target for hackers as they are often not secured properly, they are often not patched or upgraded, and commonly are found to be running vulnerable modules," Miller said.

"This demonstrates how important it is for organisations to ensure that they regularly apply security patches and upgrades to websites. If this is not possible then they can purchase a web application firewall that will assist in preventing exploits from working."

ICAC has been approached for comment.

Join the Computerworld newsletter!

Error: Please check your email address.

More about Base64GoogleICACIndependent Commission Against CorruptionThreat Intelligence

Show Comments