In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web servers on non-standard ports. Most of the domains I listed in the post were cleaned up pretty quickly.

Three months later, there are still a number of hijacked sites redirecting to the same fake stores. One day recently, I found 68 hijacked domains, mostly college and government sites, including:

• Berkeley: cshe.berkeley.edu
• Harvard: research4.dfci.harvard.edu
• Purdue University: web.ics.purdue.edu
• Oklahoma State University: osu.okstate.edu
• Australian Government: brokenhill.ses.nsw.gov.au

List of hijacked websites redirecting to a fake store found in 1 day

While some of the pages are still hosted on alternate web servers, like hxxp://nigelbeale.com:8080/download?online=329 now, most pages have actually been added to the hacked web server, on port 80.

The fake stores have not changed much. They all claim to provide discounted software from Microsoft, Adobe, Apple, etc., for download. Visually, they all look the same and we still see new domains used for the fake online stores.

Fake software store

A Google search for “buy windows 7 pro”, for example, still shows primarily hijacked sites as the top of the results. It is very disappointing that Google has not cleaned up their search results after several months…and Bing doesn’t do a better job on this one either.

Google search for “buy windows 7 pro”. Most redirect to a fake store.

Protect yourself with Zscaler Safe Shopping

The majority of the fake stores are still not flagged by blacklists used by popular browsers or by antivirus software. Firefox users can instead leverage the free Zscaler Safe Shopping add-on we released a couple of months back, in order to be warned when they visit a fake online store.

– Julien