At the weekend I was sent a link by a colleague to the jobs' site of Queen Mary University (job site here) as they wanted my advice on a position. I recommended the position but suggested using an alternative method of submitting an application, the site really does not utilise standard security practises (e.g. mixed content over HTTPS, account enumeration, password policy etc).
Nothing surprised me about the website, until I tried to click on a URL located within the job listing, it automatically directed me to the following:
The first thought that went through my mind was "oh boy, have I got malware on my machine?!", I went back to the listing and tried clicking the link, it again redirected me to a new advert. I was confident that it was not an issue with my laptop, or any malware loaded on my machine.
What may have happened
Queen Mary have not provided any details of the incident, as is common, however it has all the hallmarks of a cross-site scripting attack. That is, a malicious third party has introduced client-side scripts into webpages viewed by other users.
I will admit I am speculating but these types of incidents usually point towards something more serious, such as a compromised database or server system.
What is the hack?
For those who are interested in what I am labelling 'the hack', read on!
I decided to take a look at the source code of the Queen Mary jobs' site, the following had been injected into the code after the close tag:
This is a very strange code syntax to have on a public sector website, indeed any website. At first I thought it would be an ad block created by the developer to allow for ads to be displayed when/where necessary. However, I very much doubt this is the case (well I hope not).
The code snippet loads a file from fashiongate.jp server. I highly doubt that Queen Mary controls this website. It would appear that the fashiongate.jp server has been hijacked and is hosting malicious scripts. Troy Hunt has blogged about this in detail (read it here) and how many websites do not realise they have been hacked and hosting malicious content/scripts.
The syntax in the above displays a transparent image over part of the page, therefore when a user attempts to interact with a webpage (e.g. clicking a link on the nav bar) they are redirected to a new site that contains adverts and malicious software packages. The user is not aware of the image as it is transparent.
The code injection also sets a new cookie recording the display of the advert using a boolean (1=ad already displayed, 0=display ad):
The cookie is also set with an expiration date, after which point a new advert is then displayed to the user and the cycle starts again:
I suspect this has been done to try and fly under the radar and mislead the end user into thinking it was a one off incident.
This is a very simple example of what a cross-site script attack vector can do. The issue is the content it was linking to could be malware rigged content or webpages.
This issue highlights the importance of performing audits of all source code you manage including perform code integrity checks.
Reporting the incident
After verifying that it was repeatable on multiple machines (different geographical location) and devices I then wanted to report the issue to Queen Mary IT.
I first attempted to report the issue via the Queens Mary IT Help desk email address: firstname.lastname@example.org. However, I received the following bounceback email:
I was very surprised by this response, I did search the website and was unable to find an email address to report incidents or find an email address that is monitored at weekends. I then turned to Twitter, but it seems that the Queen Mary Twitter Account (@QMUL) is only monitored between 10am-5pm GMT, Monday to Friday:
I decided to report the incident via the Queens Mary IT support line, which to my surprise is outsourced at the weekends to Northumbria University IT support. I was informed that they do not have an escalation policy in place to handle reports such as this and it will be handled on Monday.
After 24 hours of the incident being reported no action had been taken by Queen Mary. I therefore decided to email a new IT email address I found by using Google and copy in HR (which is the 'owner' of the site). They responded stating they will investigate the issue.
10:57 Sunday 12/03/2017 - Reported the issue via email. The email bounced.
11:30 Sunday 12/03/2017 - Reported the issue via the Northumbria University IT out of hours support. Ticket logged.
08:00 Monday 13/03/2017 - The site is still hosting the malicious code.
11:00 Monday 13/03/2017 - 24 hours later and the content is still being displayed.
13:40 Monday 13/03/2017 - I decided to send a last ditch email to Queen Mary IT and HR. A response was received from HR saying "We will pass it on to our IT team".
19:00 Monday 13/03/2017 - It appears the issue has been resolved.