Manifold Public Reading Groups Being Abused by Web Spammers

Since last week, we have been looking at various ways that web spammers have been abusing functionality of websites, particularly on websites at major universities, to place spam content on them. The final element that we noticed at this time involves software designed by and for universities. The software, Manifold, is there to allow handling a library of documents. It also includes a feature for public reading groups, which spammers have been abusing, as can be seen on this website from the University of Virginia:

As is usual, if you allow the public to put content on a website, web spammers will start abusing.

If you have a website that has web spam content placed on it, we can help you to get it cleaned up and hardened to avoid additional issues.

Web Spammers Also Abusing MediaWiki Websites at Major Universities

In looking over recent web spam activity, we have noted two trends. Abusing functionality of popular web software and doing that with websites from major universes. So another element of this isn’t surprising. Spammers are adding spam pages to websites running MediaWiki from major universities.

Here are the latest pages added to a Harvard hosted MediaWiki website:

And here are the latest pages added on a University of California, San Diego hosted MediaWiki website:

Both of those websites are running MediaWiki 1.16, which was only supported through November 2011. So these websites look to have long ago stopped being maintained.

MediaWiki provides various ways to restrict access to editing, which can prevent old websites from being overrun with spam like this when they are no longer actively intentionally edited.

If you have a website that has web spam content placed on it, we can help you to get it cleaned up and hardened to avoid additional issues.

Various WordPress File Upload Functionality Being Abused by Web Spammers

Last week, we looked at various methods that spammers are using to place spam pages and other content on websites. That includes abusing web software, such as a Drupal module on websites from high-profile universities, and a feature of the Wix website builder service. It wouldn’t be surprising to hear that WordPress websites were also involved considering how widely used the software is and how many plugins there are that extend it that might not be hardened against abuse.

In checking over things, we noticed that a website from John Hopkins university had this happen with the Formidable Forms plugin. The website did block access to the uploaded file, with this message:

You are receiving this message because your request triggered one of our security firewall policies. Johns Hopkins faculty and staff may try accessing this page through the JH Pulse VPN Johns Hopkins VPN or MyCloud. If these methods don’t work, contact webhosting@jhu.edu and provide the full URL and support ID below.

Your support ID is: 3030507284814651859

[Go Back]

On a Princeton website, based on the location of the file, it looked like the plugin WP Feedback, Survey & Quiz Manager, later renamed to eForm was the source.

On a website of Southern Illinois University Edwardsville, the file was uploaded to WordPress’ standard directory for uploaded files. Making it unclear what the source was.

The situation is a good reminder that even if file upload functionality is secured to prevent malicious files being uploaded and a hacker taking over the website; it is still possible for file upload functionality to be abused. If you have file upload functionality, where the file uploads don’t need to be web accessible, making sure they are not accessible that way stops web spammers from abusing it.

If you have a website that has web spam content placed on it, we can help you to get it cleaned up and hardened to avoid additional issues.

GitHub Apps and LinkedIn Pulse Being Abused by Web Spammers

In the last few days, we have been looking at various aspects of a web spam campaign. We have found that, among other things, websites from various major universities have been impacted by this. We also found that GitHub and LinkedIn, which are both owned by Microsoft, have been impacted by this and they don’t seem to be doing a great job of catching that.

One aspect of this involves GitHub Apps. Here is one example of spam pages on there:

That, in turn, links to a page on LinkedIn Pulse:

You can see that was published a week ago and is still up.

What is going on with the account that was posted through is unclear. It is listed as a financial services company, but the rest of the description isn’t in line with that:

There is another account for what appears to be the same entity that seems more credible, as among other things, it lists them in the music industry

Brigham Young University CDN Being Abused by Web Spammers

The last few days we have been looking at what web spammers have been abusing to place spam files on various websites. Some of that has involved various websites from major universities, including Duke and Harvard. That isn’t all that surprising as they can have a lot of websites and they can stay up despite no longer being actively used. More surprising is that we found that a CDN belonging to Brigham Young University is also being used, and that appears to have gone unnoticed. Here is an example of spam files that have been included in Google search results from that:

So Google also seems to have a problem with catching web spam as well.

Also, it is worth noting here that Google is willing to display a claim that something has 7,447,548 votes:

That claim comes from data in the file:

<script type="application/ld+json">
    {
      "@context": "https://schema.org",
      "@type": "SoftwareApplication",
      "name": "VBUCKS",
      "operatingSystem": "ANDROID",
      "applicationCategory": "GameApplication",
      "aggregateRating": {
        "@type": "AggregateRating",
        "ratingValue": "4.8",
        "ratingCount": "7447548"
      },
      "offers": {
        "@type": "Offer",
        "price": "9999.00",
        "priceCurrency": "USD"
      }
    }
    </script>

It’s unclear how the spammers are getting the files on that CDN. It looks like you need a login to access the university’s Brightspot CMS that would seem to be connected to the CDN. Possibly, a compromised login could be used here. Though, based on other parts of the campaign, it seems possible that some upload functionality on websites is being abused to do this.

We have alerted Brigham Young University about what is going on.

Kentico CMS Still Being Abused to Host Spam Files on Websites, Possibly Through Vulnerability

Two days ago, we looked at one method web spammers are using to post spam files on to websites, abusing the Webform module for Drupal. Another aspect of this involves a less popular content management system, Kentico CMS. Like the abuse of that Drupal module, this isn’t a new issue. Lorenzo Franceschi-Bicchierai covered this situation in June of last year at TechCrunch.

What is going on there, though, isn’t as clear. The TechCrunch article had this response from the developer of Kentico CMS:

“We are aware of this particular risk that could have happened with Kentico 12 or older versions. This was identified years ago as a result of a misconfiguration, and we already addressed it at the time and changed our documentation,”

It’s unclear what addressing it means and if this was an end-user misconfiguration or a developer misconfiguration.

The security fixes listed version 12 of Kentico CMS on the software’s Hotfixes page, including two fixes for vulnerabilities that allowed uploading files that shouldn’t have been allowed. We found another claim of a similar issue that was supposed to have been addressed in version 11.0.45 of the software, though we couldn’t find a mention on the Hotfixes page of a security fix in that version.

So this is possibly caused by a vulnerability in an old version of Kentico CMS or possibly abuse of intended upload functionality that was addressed in new versions of the software.

For those running Kentico CMS or other web software that have websites that appear to be hacked, we can help you to get that properly cleaned up.

Wix Groups Being Abused For Web Spam Campaigns

Yesterday, we noted how web spammers were abusing the Webform module for Drupal to place spam files on websites. We continue to look into that spam campaign and found another interesting aspect of it. Spammers are also abusing the Groups feature of the Wix managed website service. That is notable, as services like that are supposed to handle a lot of the work for you. It would seem like flagging this type of spam is something they should be doing, but it doesn’t appear being doing that.

In one example we looked at, the spam campaign was also apparently abusing LinkedIn as the content posted on the Wix Group on a website was linking to now non-existent pages on LinkedIn:

That same impacted website, a Christian academy, also had spam added to the group that seems more problematic to the specific website, as it was promoting pornography:

It seems like Wix could do a better job of handling this. It also is a reminder that spammers will take advantage of the ability to post content on websites, so any functionality that allows that should be disabled if not used and otherwise be moderated.

Spammers Still Abusing Drupal Webform Module to Put Spam PDFs and Pages on Websites

It is common for hacked websites, whether running Drupal or other software, to be used for web spam campaigns. But there are other methods for putting spam content on websites. While looking into a spam campaign covered by Bill Toulas in a story at the Bleeping Computer, we noticed there are at least several issues that were being used by the spammers. One of those includes abusing the Webform module for Drupal.

Here was the URL for one spam page included in Google’s search results from a website of Duke University:

https://healthpolicy.duke.edu/sites/default/files/webform/speaker_request/3878/HYL5z.html

The beginning of the directory structure there, /sites/default/files/, is something that those handling Drupal websites might recognize, as that is a structure that Drupal uses. The website is running on Drupal 10.

A spam PDF from a website from Harvard, which is running Drupal 7, also showed up in the results:

https://www.nmr.mgh.harvard.edu/files/webform/vbucks-wgu-rih.pdf

What they also have in common is the /webform/ directory is where the spam was stored. That is the directory used by the Webform module for Drupal.

This isn’t a new issue. Here was the beginning of an issue report for that module from November 2021:

We have a simple form that has a file upload feature to attach PDF documents. It gets spammed by bots by uploading random PDFs without submitting the form. The files stay uploaded in the server and can be accessible at /sites/default/files/webform

The reporter of the issue went on to note another problem here:

Anti-spam modules like Google reCAPTCHA are bypassed, because you need to fill it only to submit the form, spammer does not need to submit the form to fill the server with advertised PDF files.

A simple solution to spammers being able to abuse that is by not having files uploaded through that stored in a public location. Though, as a reply on the issue report noted, there are still other issues:

IMO It’s a low-risk security problem. In our case PDF files with malicious links are submitted constantly. These malicious files are uploaded to private folder and then deleted by cron, but malicious files are constantly being sent so there are always some malicious files on the server.

This is still a risk by our users because they can find this files using modules like IMCE or File browser. Uploading a PDF, PSD or GIF file in a user accessible folder can be used to exploit a zero-day vulnerability like FORCEDENTRY if users are using a mobile and simple check the file, or include malicous links inside PDFs files to try to pishing if someone found this files browsing.

Uploaded files should be uploaded to temporally folder and then moved to private or public folder when the form was submited and validated. This would be safer because forms implement anti-bot filters that are being skipped in file submit.

The good news for those being hit by this for spam is the solution is pretty simple. For those that have actually had their Drupal website hacked, the process for addressing that is a lot more complicated. If you need a hacked Drupal website professionally cleaned, we can handle that for you.