I have looked at 1,123 legitimate sites which have been hijacked to host spam pages redirecting users to a fake AV page. I'd assumed that most of them would be running WordPress, Joomla!, OSCommerce and other open source software known to have a history of security issues. In reality, these software packages actually represent less than 15% of all hijacked sites.
|Type of Software used to create the hijacked sites|
- Admin credentials have been stolen/brute forced, or webmaster kept the default login/password. The malicious scripts where simply uploaded using their FTP account or a web based admin interface.
- Shared hosting servers could have been compromised.
The second possibility is the most likely. There have been mass-infections reported in the past for GoDaddy, BlueHost, Dreamhost, etc. The distribution of hacked sites by hosting companies is interesting:
The Endurance International Group, which owns 20 hosting companies (iPowerWeb, Pow Web, Dot5 Hosting, StartLogic, Fatcow, Globat, etc.) hosts 38% of the hijacked sites. Bluehost, a rather small hosting provider, represents 28% of the hijacked sites. However, the biggest providers host a small proportion of sites used for malicious spamming: 2% for GoDaddy, and less than 0.5% for 1&1.
It seems that most of the legitimate sites have been hijacked through a vulnerability in their hosting platform rather than in the software they are running. That's not good news for the webmaster who wants to keep his site safe: part of the problem is out of their control, keeping your WordPress or Drupal version up to date and locked down is not enough - you also need to seek out a secure hosting provider.