Tackling website injected gambling links

The prevalence and sophistication of malicious link injection, particularly links associated with gambling and betting, into websites are escalating, inflicting severe repercussions on businesses and organizations.

Alarming prevalence of malicious link injection on websites

According to the Ministry of Public Security, 2022 witnessed the exploitation of hundreds of government websites for malicious link injection. This trend continued to escalate in 2023, with 90 websites compromised in March and 190 educational websites attacked in April. Notably, high-traffic, reputable websites are prime targets for cybercriminals.

The recent surge in malicious advertising link injection on government and educational websites has taken on an increasingly complex nature. These cyberattacks have not only increased in scale but have also become more sophisticated, employing diverse methods that pose significant challenges to detection and remediation.

Government (.gov.vn) domains are being injected with gambling and betting links

Educational (.edu.vn) domains are being injected with gambling and betting links

The threat of malicious link injection extends beyond government and educational entities, encompassing all businesses operating in the online realm. Enterprises with reputable domain names and high traffic volumes are particularly attractive targets for cybercriminals, who seek to maximize their gains by disseminating harmful content and illicit advertisements.

Devastating impact of malicious link injection on businesses

The injection of malicious gambling and betting links wreaks havoc on businesses, primarily through four detrimental channels:

• Reputational damage: Brand image and credibility suffer immensely when websites are associated with illicit activities and harmful content. This is particularly severe for government agencies, educational institutions, and reputable businesses, eroding public trust and jeopardizing partnerships.
• Plummeting traffic: Websites flagged as malicious by search engines and web browsers experience a drastic decline in search rankings, leading to a significant drop in website traffic and potential customer reach.
• Financial losses: The decrease in website traffic directly impacts online business operations, resulting in revenue losses and missed opportunities.
• Mounting Expenses: Businesses incur substantial costs in remediating the attack's aftermath, including patching security vulnerabilities, upgrading systems, and implementing enhanced security measures. This can disrupt operations and increase overhead expenses.

Behind the malicious links lurking on websites lies a sophisticated network of cybercriminals employing a diverse and ever-evolving arsenal of attack vectors to exploit security weaknesses and reap illicit gains.

Decoding the roots of malicious link injection on websites

a. Evolving tactics of cybercriminals

Malicious actors are constantly refining their techniques to inject gambling and betting links, particularly during major sporting events like the EURO, World Cup, and Copa America. They establish a network of illegal gambling websites with offshore servers, aggressively advertise their services, and lure unsuspecting individuals into illicit betting activities. These tactics involve attacking and gaining control of vulnerable servers, injecting malicious code, and redirecting website traffic to gambling sites using relevant keywords like "xocdia," "taixiu," "go88," and "hitlub."

b. Black Hat SEO targeting reputable websites

Government and educational institutions with .gov.vn and .edu.vn domains, considered highly credible, become prime targets for Black Hat SEO (Search Engine Optimization) campaigns. Perpetrators exploit backlinks from these trusted websites to boost the search rankings of their illegal sites, enabling them to reach a wider audience of potential victims.

c. Inadequate cybersecurity investments

Many organizations, particularly public sector and educational institutions, often overlook the critical importance of cybersecurity, leading to insufficient investment in security measures. Consequently, website management, updates, and monitoring are not prioritized, creating security vulnerabilities that cybercriminals can easily exploit.

Prevalent attack vectors

Websites are frequently compromised through security loopholes to inject malicious backlinks, posing the risk of malware infections or inappropriate content display. These malicious backlinks stem from Black Hat SEO practices, where individuals disregard Google's guidelines to achieve higher search rankings. Common attack vectors include:

• Spam index: Attackers exploit unmoderated website forms to inject keyword-rich content.
• File upload: Vulnerabilities allowing file uploads are targeted to inject SEO-laden files.
• Security vulnerability exploitation: Hackers leverage vulnerabilities in servers, shared libraries, plugins, weak administrative accounts, or databases to gain control of websites and inject malicious links. Common exploited vulnerabilities include:

1. Outdated operating systems on servers without security patches.
2. Shared libraries with security flaws.
3. Vulnerabilities in website plugins.
4. Weak passwords for administrative accounts.
5. Insufficiently strong passwords for database connections.
6. Lax server permissions, enabling malware to spread to other websites on the same server.

To safeguard websites from cyberattacks and malicious link infiltration, implementing proactive prevention and remediation measures is not only essential but also mandatory for all organizations and businesses.

Tackling malicious backlinks

For already compromised websites

1. Implement Header or No-Index Tags: Add a header or no-index tag to uploads directories to inform search engines not to index user-uploaded files and paths.
2. Remove Backlink-Containing PDFs: Eliminate PDFs containing malicious backlinks.
3. Scan for Website Vulnerabilities and Update Patches: Conduct a thorough website vulnerability scan and apply all necessary operating system patches.
4. Identify and Patch XSS and Search Vulnerabilities: Detect and address any XSS (Cross-Site Scripting) or search function vulnerabilities.
5. Patch File Upload Vulnerabilities: Identify and patch any file upload vulnerabilities.
6. Request Removal of Indexed Backlink URLs: Submit a request to Google for the removal of indexed backlink URLs associated with malicious advertising. Refer to: https://developers.google.com/search/docs/crawling-indexing/remove-information?hl=en

For uncompromised websites

1. Implement Header or No-Index Tags: Add a header or no-index tag to uploads directories to inform search engines not to index user-uploaded files and paths.
2. Scan for XSS, File Upload, SQL Injection, CVEs, and Search Function Vulnerabilities: Conduct a comprehensive scan for XSS, File Upload, SQL Injection, CVEs (Common Vulnerabilities and Exposures), and search function vulnerabilities.

Addressing malicious link injection through vulnerability exploitation

Remediation and prevention strategies for malicious backlinks injected via vulnerability exploitation:

1. Scan Unaffected Websites for Vulnerabilities: Scan websites not yet injected with backlinks for RCE (Remote Code Execution), SQL Injection, and CVEs. Patch any identified vulnerabilities.
2. Examine Source Code of Affected Websites: Scrutinize the entire source code of websites on the server with injected backlinks. Pay particular attention to vulnerabilities related to SQL Injection and Telerik. Minimize shared hosting for multiple websites to reduce the risk of "reinfection" after cleaning the server and patching website vulnerabilities, as hackers may still gain access through vulnerabilities on other websites hosted on the same server.
3. Check for Malicious Code in IIS Modules:

3.1. Utilize sigcheck: Verify that modules are signed by trusted providers using Microsoft's signtool or sigcheck tool.

3.2. Employ ESET's YARA Rules:

Step 1: Download and install the latest Yara version from: https://github.com/Virustotal/yara/releases

Step 2: Download ESET's YARA rule file from: https://github.com/eset/malware-ioc/blob/master/badiis/badiis.yar

Step 3: Run Yara with the downloaded rule file.

4. Remove Malicious IIS Modules: After identifying suspected malicious code samples, check them against Virustotal or compare them against a list of essential website modules. If a sample is confirmed as malicious or an unused module, collaborate with the hosting provider to remove it.
5. Mitigate IIS Server Attack Potential: Regularly apply operating system and software updates, and carefully evaluate which services are exposed to the internet to minimize server exploitation risks (Source: Hanoi Police Department).

To mitigate the risk of attacks and insertion of malicious links, organizations and businesses need to proactively implement comprehensive security measures. Firstly, conducting periodic reviews of the entire website system is crucial, especially thorough inspections of "source code" pages. Particular attention should be given to newly created files or those with creation times different from other files in the same directory, as these could indicate "malware" insertion. Additionally, regularly changing the "administrator passwords" and "database access passwords," especially when using weak passwords, is also an effective preventive measure.

Moreover, to ensure comprehensive "network security," organizations and businesses should conduct an overall system assessment to identify potential "security vulnerabilities" and implement professional security solutions. Utilizing automated monitoring tools to detect unusual changes on the website is also a useful solution, helping to respond promptly and prevent potential attacks.

Overview of VNIS

The VNIS platform is a comprehensive Web/App/API security solution offered by VNETWORK Corporation. With over 2,300 connection points worldwide, VNIS can handle traffic volumes of up to 2,600 Tbps and is backed by a team of experts and a Security Operation Center (SOC) that is always ready to respond promptly to any attack scenario. This ensures that your business website remains stable and operates with 100% reliability.

Equipped with WAF, Anti-DDoS, Bot Manager, and various other features, VNIS provides an advanced security solution that protects against attacks stemming from security vulnerabilities and completely blocks sophisticated large-scale DDoS attacks, safeguarding your business systems.

Before implementing VNIS

Before implementing VNIS, business websites are often exploited for their vulnerabilities, allowing attackers to use indexing tools to index malicious links. If Google indexes these links, they can reach a large audience through search results. Attackers may employ other systems to increase traffic to these malicious links, tricking search engines like Google into believing they are popular websites and prioritizing their indexing. This means attackers can easily index malicious websites without using a business's Google Search Console. As a result, the business website faces the risk of being downgraded in quality, negatively impacting brand reputation and user experience.

Website indexed with numerous gambling links on SERP

Website indexed with numerous betting links on SERP

By checking Google Search Console, businesses can clearly see a significant increase in traffic and clicks from keywords and URLs related to betting, gambling, and online cockfighting.

Malicious keywords with high display and click rates on website (3 months ago)

Malicious URLs with high display and click rates on website (3 months ago)

Post-VNIS implementation

The VNIS solution effectively blocks redirects to malicious gambling and betting websites by returning an HTTP 404 status code when users attempt to access them, signaling that the webpage does not exist on the server. This proactive filtering and blocking of malicious links offer several crucial benefits: Deterrence of Attackers: Encountering repeated 404 errors indicates to attackers that the website is protected and vulnerabilities have been patched, reducing the likelihood of repeat attacks.

Prevention of Indexing and Spread: Search engines like Google will recognize these malicious URLs (keywords) as non-valuable due to the consistent 404 error responses. This prevents these URLs from being indexed, significantly reducing the potential growth and spread of malicious link injection attacks.

Malicious URL destination displaying HTTP 404 status code

Significant reduction in malicious traffic to website after VNIS implementation

Removal of irrelevant keywords from website (present)

Removal of irrelevant URLs (Links) from website (present)

Additionally, VNIS can detect real-time website exploitation activities (which businesses often find difficult to control). This enables businesses to pinpoint the exact URLs being exploited or compromised, allowing them to proactively patch vulnerabilities and prevent potential attacks.

VNIS Platform's comprehensive security model

In today's cybersecurity-focused landscape, proactively addressing potential threats, particularly malicious link injection, is crucial for maintaining website stability and reputation.

VNETWORK's VNIS security platform not only prevents and remediates malicious link injection but also provides professional monitoring, alerting, and technical support tools to ensure continuous and secure online operations for businesses. For detailed information and a quote, please contact us at Hotline: +84 (028) 7306 8789 or email: contact@vnetwork.vn.