IT and technology-related issues are frequently reported in the media. A well-known website is hacked, a new technology is unveiled, user feedback is discussed… Many times articles contain factual inaccuracies. The problem is that reporters are not “techies” and often provide misleading or erroneous analyses.
Fake drug scam hijacks UK college websites
The BBC recently reported that “UK academic institutions have unwittingly become the accomplices of criminals selling fake drugs online.” The article went on to state that this had happened because spammers had “exploited vulnerabilities” in the PHP scripting language. As a PHP programmer I take exception to this claim, as should website owners and web design agencies, for reasons that I will explain later.
The article reported how academic websites with the .ac.uk domain extension were unwittingly forwarding visitors to websites selling fake drugs online. Without going into much detail it was explained that spammers had injected code into the web pages, seemingly exploiting vulnerabilities in PHP, that would make Google and other search engines believe that the pages were relevant for searches related to prescription drugs such as Viagra. When a user searched for those terms and visited the website via the link on the search engine results page (SERP), the injected code would detect this and redirect them to the online pharmacy. When a user visited the website by typing in the URL directly or via a non drug0related search, the normal page is displayed.
Deliberately Targeted
This is not a random attack; the websites had been specifically targeted. Academic institutions rank very well in search engines because, put simply, they are inherently trusted and as such, the .ac.uk domain extension carries a lot of weight.
An attack like this is also clever because it doesn’t place visible links to spammers’ websites or make any obvious changes to the web page that has been compromised. Visitors only get redirected to the online pharmacies if they are actually searching for specific terms. This way the website administrator may never know that their scripts have been compromised and remove the spammers’ code!
One such website that has been affected is Ravensbourne College of Design and Communication. Amazingly, four days after the BBC reported that their website had been compromised (and presumably even longer since they found out), the injection in still in place! If you visit www.rave.ac.uk you will see the college’s official website. If you search for the college and follow the link in the SERP you will also see the college’s official website. However, if you search for Viagra and follow the link in the SERP you will not end up on the college’s website at all, but at a “Canadian online pharmacy”!
What Cost?
This is all very unfortunate for the college. The negative publicity alone would be bad enough, but they will also have to spend time and money removing the injected code and then plugging the holes that allowed an exploit of this type to happen in the first place.
I mentioned earlier that I would object to the reporting of this a PHP exploit. I believe that this is inaccurate and could lead people to believe that PHP is inherently less secure than other scripting languages. In fact I would not call this a PHP exploit at all – it’s slack coding that could have resulted in the same thing happening no matter what scripting language the website was developed in.
From the scant technical details offered in the original article it would appear that the affected websites do not properly validate and filter user input. Of course a website developed in PHP would be vulnerable to rogue code injection attacks if user input is not validated correctly. But for that matter so would any other scripting language!
Aside from my personal objections to the labelling of this incident as a vulnerability within PHP, website owners and web design agencies should also consider the effects of the media when reporting stories like this. If a potential client reads the article and takes from it that “PHP is not secure” or “PHP websites get hacked easily” and then you pitch a PHP-based website to them, how will that affect your chances of winning the contract? And to a lesser extent, how do stories like this affect the public’s perception of your current website? Would they feel safe buying from you online when such high-profile PHP websites fall victim to hacking?
Conclusion
But what can we in the IT community do? It’s not realistic to expect journalists to understand that this was poor coding rather than an insecure scripting language. The best that we can do is be aware of what stories are floating around in the news and be sure that we understand and can explain the real issues!
