Cybersecurity researchers from Citizen Lab recently spotted PDF files advertising hacking services, on websites belonging to numerous U.S. government agencies and educational institutions.
As reported by TechCrunch late last week, the PDFs were found on .gov websites belonging to California, North Carolina, New Hampshire, and at least three more states, as well as at least five counties and administrative centers.
Universities such as UC Berkeley, Stanford, Yale, UC San Diego, and countless others, are also said to have had their websites compromised. Spain’s Red Cross, defense contractor Rockwell Collins, as well as an unnamed Irish tourism company, were also affected.
In the PDFs, the threat actors advertise various services, including the ability to hack into social media accounts such as Instagram, Facebook, or Snapchat. They also advertise computer game cheats and fake follower generation. Interested parties are invited to open websites listed in the PDFs.
Discussing his findings, researcher John Scott-Railton suggested that these are not the result of a hack, but rather of a threat actor abusing misconfigured servers and content management systems (CMS): “SEO PDF uploads are like opportunistic infections that flourish when your immune system is suppressed. They show up when you have misconfigured services, unpatched CMS bugs, and other security problems,” said Scott-Railton.
TechCrunch visited some of the websites listed in the PDFs and claim that the hacks are most likely fake, and that the entire scheme is just to get people to visit the websites. These sites, the publication claims, come with a fake CAPTCHA which only buys time for the website to generate money in the background.
While the damage of this campaign seems to be almost non-existent, it begs the question of how it was possible for so many government and educational institutions to become compromised; the aftermath could have been much, much worse.
At press time, it is claimed that most of the PDF files have been removed.