Discovery of possible new ransomware campaign targeting websites

Websites are being hacked and defaced with “the worst of the worst” child sexual abuse images.

According to the Internet Watch Foundation (IWF), businesses' websites have been hacked and child abuse images uploaded, meaning that not only is the reputation of the company impacted, but users are seeing these images.

The IWF said it had received 227 reports of this happening over the past six weeks. In such an instance, a user would visit a compromised website and unknowingly be redirected to a folder, created by the attackers, that contained the child sexual abuse images.

As a third party has set up the ‘diversion' from one site to another and planted the folder of the images, the administrators of the adult site and the hacked site would not know this is happening.

Sarah Smith, technical researcher at the IWF, said: “We hadn't seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more.

“It shows how someone, not looking for child sexual abuse images, can stumble across it. The original adult content the internet user is viewing is far removed from anything related to young people or children.

“We've received reports from people distressed about what they've seen. Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to re-trace their steps and take action against the child sexual abuse images.

“Since identifying this trend we've been tracking it and feeding into police forces and our sister hotlines abroad.”

The IWF said that hackers also hijacked links on adult websites so that if a visitor clicked on one of the affected pornographic images or videos, they would be directed to the offending material.

Security consultant and blogger Graham Cluley said that many legitimate websites do get hit in this way and are defaced, and he understood why the IWF needed to do something about it.

However he told SC Magazine that his feeling was that this was tied to ransomware, where users will be told that there is material on their computer and they need to get their PC cleaned. “I am trying to work out why this has occurred, there is the possibility of damaging the reputation of companies who are hosting the material, although the servers are not directly linked to the store,” he said.

“Or it could be a hacktivist group trying to get people to go to a website to get them to download malware. But the IWF said that the links are based on legitimate adult websites; ransomware is a way of tricking someone and someone who has been exposed to child abuse images is not going to go to PC World or the police, they will want it to go away.”

Cluley also believed that users and businesses will be concerned about this, as the attackers are being more aggressive in a very effective form of social engineering. He recommended learning about ransomware, and to make sure orphan servers are patched and cleaned up.

Sign up to our newsletters