Hacked to send spam or distribute malwareSecurity researchers found that a significant number of Web sites belonging to the Argentinian government were hacked and are now being used in black hat search engine optimization campaigns (BHSEO). Some of them are even infecting visitors with malware.
The mass compromise was discovered by Sucuri Security, a provider of Web-based integrity monitoring and malware detection solutions. In an advisory posted on its blog, the company names twelve Argentinian governmental websites that are involved in spam or malware distribution, however, it points out that there are a lot more of them out there.
The websites appear to be used in black hat search engine optimization campaigns (BHSEO), that try hijack search keywords related to various controlled drugs used to treat depression or alleviate pain, as well as typical enhancement pills. BHSEO is the practice of artificially bumping up websites in search results for a series of keywords.
Cyber criminals commonly use the technique to poison search results related to current event and trick Web users onto their malicious websites. They have gotten so good at it, that sometimes they manage to poison almost all results on the first page of a Google search.
“What’s more scary than the SPAM itself, is that these sites are hacked and nobody is noticing it or taking any action to clean them up. Some of them even have malware,” Dadiv Dede, a security researcher at Sucuri, writes. He points that the official websites of some Argentinian ministries, cities or states are amongst the compromised ones.
The exact attack method has not yet been determined and Sucuri is still looking into it. However, the fact that many run on outdated versions of WordPress that are known to be vulnerable, might be an indication of the problem. Additionally, some of them run on custom applications, which are vulnerable attacks like SQL injection.
But Argentina is not the only country whose government has failed to protect its Web properties. Back in June, Sucuri reported a similar mass compromise of Brazilian governmental websites, which are being abused in the same fashion.
You can follow the editor on Twitter @lconstantin