CYBERSPACE — AARP strives to provide services and advocacy for retired persons throughout the U.S., but the services provided by the organization’s website last week probably weren’t the kind the group had in mind.Hackers exploited a vulnerability in the content-management system that operates AARP.org and used scripts to redirect the site’s traffic to porn destinations. Researchers at MX Logic said the attacks appeared to be designed more to bump the destinations’ rankings at Google than to get seniors to buy online porn.
“First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites,” MX Logic Director of Internet Properties Jeremy Yoder told DarkReading.com. “Second, hackers employed bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.
“There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines,” he continued. “This one was particularly notable because of the precise coordination of the attack, the exploitation of Web 2.0 functionality and the [search engine optimization] motivation.”
Yoder said the problem lies in AARP’s homegrown CMS, which allows “foreign” JavaScript code execution. Most off-the-shelf CMSes don’t, he noted. MX Logic discovered the attacks when it noted unusual traffic activity directed at AARP.org during a routine scan of the Web.
“Search engines rank sites based upon links from other sites,” he explained to DarkReading.com. “If a high-ranking site like the AARP [to which Google has assigned a page rank of 8 on a scale of 1-10] links to the hacker’s site, it increases the recipient site’s ranking and traffic. The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.”
Human intervention in the process that allows users to post comments in AARP.org’s Web 2.0 environment could solve the problem, he noted.
AARP has not commented about the attacks.
