UK government sites have been hacked and are serving pharma spam.
The UK Parliament’s search funtion was shown to be open to some very basic XSS injection attacks – which on testing appear to have now been fixed.
After finding a big batch of US government sites that had been hacked late last year, and successfully having them cleared up, I thought would have a quick look to see if anything on UK government sites was hacked.
It didn’t take long.
On a sub-domain of Gov.UK (though not part of Gov.UK directly), Kidwelly.gov.uk is serving many hundreds of cloaked spam pages, which in turn redirect users to edpills.co.uk – a dodgy looking online pharmaceutical site that if I had to guess is probably a credit card phishing site.
The UK domain name registry Nominet carry out regular domain name authenticity checks, yet don’t seem to have got round to EdPills.co.uk yet. A quick look at the Whois details is almost laughable. Would you buy from a site registered to an organisation called ‘nana’, company registration number 123456789?
The Kidwelly.gov.uk website appears to be powered by a compromised modXhost installation which serves cloaked pages to Googlebot (see the Google cache below), whilst redirecting users to the phishing site.
One site wasn’t enough, so I dug a little deeper into any other government sites that may have been hacked.
Events/What’s On sections seem to be a target of regular abuse from spammers.
Another site that appears to have been compromised recently, though fixed now, is OxfordHealth.nhs.uk.
A look at the Google cache of these pages show they were hacked and serving similar pharma spam – with pages that were using a cloud hosted Twitter Bootstrap template/CSS.
Websites getting hacked – indeed even high profile websites getting hacked – is of course nothing new or especially noteworthy.
Though it has to be said, with the abilities of GCHQ and their apparent mastery of the internet – you might wonder how they don’t spot UK government websites that are vulnerable to the most basic attacks, and even worse, websites that actually are hacked.
In case there is anyone from GCHQ listening, my gift to you:
Note: I contacted Kidwelly.gov.uk and they are taking action on the hack. They also said thank you – which is always nice.
Latest posts by Colin (see all)
- .co.uk Domain Name Prices Infographic - August 12, 2015
- Rapid Response Campaigning – Lessons Learnt - April 29, 2014
- How To Protect WordPress from XML-RPC Pingback Abuse - March 15, 2014