So yesterday I became aware of a web site that had been compromised and that was employing a concept known as ‘click-through cloaking’. The web site in question can be found by going to Google or Live.com and searching for “open voting foundation”. The first search result is the site in question. But do NOT click on the search result returned by Google (at least not right now as of 11am on November 8th 2007).
Why is that? If you do – you will be redirected to a bunch of porn and exploit sites via malicious IFRAMEs sent down to your browser by the hacked openvotingfoundation.org web site. If you click through from live.com – you’ll get to the actual openvotingfoundation.org web site and nothing bad will happen.
So what’s going on here? The openvotingfoundation.org web site was compromised, and the server side pages were modified to inspect the HTTP referrer header of visiting browsers. If the HTTP referrer indicates that the click through to the openvotingfoundation.org web site originated from Google or Yahoo – then the user is whisked away to porn and exploit sites. If the HTTP referrer is blank or is from say live.com – you are allowed to see the web sites content and you’re not redirected.
Why would the bad guys do this? To buy time. Think about it – say you arrived at that site via a search engine and you were clueful and you got owned. You’re going to give the URL that tried to exploit you to your local IT security geek and he’s going to paste it in his browser and visit the site to investigate – and guess what? Nothing will happen to him since he didn’t click through to the site from a search engine on ‘the list’. So he’ll think the problem has been fixed and probably won’t report the incident to the people maintaning the site. The bad guys just bought themselves a little more time.
Microsoft Research actually uncovered this late last year and released a report internally that they have now made available at the following URLs:
It’s fascinating reading if you have the time.
P.S. – For the record – the folks at the compromised web site have been notified and will hopefully be taking action soon to clean it up.