By: Julien Sobrier

Many University Websites Used For Spam

Compromise

In January, I wrote about many high profile websites, mostly universities, that were hijacked to redirect to fake stores. Many have since been cleaned up, but a few of these University websites are still redirecting users to new fake stores (adobe-discount.com, terrific-software.com, successful-software.net, mmpsoftstore.com, successful-software.com, successful-downloads.com, general-oem.com, etc.)

In the past 2 weeks, I've seen a significant amount of spam hosted on University websites. Spammers seem to be using compromised user accounts on wiki-like services to upload spam for Viagra, banking loans, online casinos, etc.

Fake pharmacy page hosted on the UCSF website
The list of Universities hosting such spam include:
  • MIT (hxxp://nola.mit.edu/~cil/nolawiki/images/7/70/Amortizing-loan-calculator.pdf)
  • Cornell (hxxps://confluence.cornell.edu/download/attachments/140416416/tab15.html)
  • UCSF (hxxp://dingo.ucsf.edu/twiki/pub/People/EricAadnes/tab7.html)
  • University of Pennsylvania (hxxp://george.isc-seo.upenn.edu/ocladmin/ocl/uploads/204599.txt)
  • University of Massachusetts (hxxp://xserv1.umb.edu/groups/podcasts/wiki/ce448/attachments/cec02/xs57.html)
  • Colorado State (hxxp://writing.colostate.edu/files/personal/108957/File_0FFC8EF8-EC2C-2238-F165D3DC0AA636A9.txt)
  • Oregon State (hxxp://foodfororegon.oregonstate.edu/sites/default/files/imagecache/al65.html)
  • OSU (hxxps://carmenwiki.osu.edu/download/attachments/16256437/tad44.html, down)
  • WUSTL (hxxp://cssa.grad.wustl.edu/sites/cssa.grad.wustl.edu/files/imce/user1208/ed60.pdf)
  • Eastern University (hxxp://ccgps.eastern.edu/members/dstore/member-blog.blog2/items/Cialis-Viagra-Online)
  • University of Washington (hxxp://modular.math.washington.edu:9001/role?action=AttachFile&do=get&target=sl45)
  • Oklahoma State (hxxp://asdevelopment.okstate.edu/logs/x.php?wy334=287)
  • Tufts University (hxxps://wikis.uit.tufts.edu/confluence/download/attachments/29761132/ced46.html)
  • National University of Singapore (hxxp://wiki.nus.edu/download/attachments/76947595/doc11.html)
  • and many others
There are thousands of these spam pages. They are used mainly in e-mail spam campaigns, hidden by a URL shortener.

The university and the fraternity I attended are amongst the victims as well: hxxp://alumni.iit.edu/s/946/forms/757/100824/game31.html, hxxp://pkp.iit.edu/bog/l.php?n249=300

University websites are becoming a preferred vector for different types of spam. The vast number of sub-domains, each of them likely managed by a different group which may not have professional IT/Security skills, make them an easy target.

-- Julien

Learn more about Zscaler.