The Florida Local Government Investment Trust maintains a website based on Wordpress, floridatrustonline.com (I highly recommend that readers do not visit the website from an unsecured browser/computer - preferably using a platform like TAILS). The website contains a description of the Trust, the legislation under which it carries its mandate (Florida Statute 218.415 (16) (a) and 163.01), a list of employees and trustees as well as a series of financial reports covering the last year. The floridatrustonline.com domain is registered to Earl Donaldson, an employee of the Florida Association of Court Clerks. Donaldson's LinkedIn page lists him as a Network Engineer. The website is hosted on a shared hosting server operated by Dreamhost.
Starting no later than March of this year, floridatrustonline.com was compromised. Each document on the site was embedded with links to sales websites that claimed to sell everything from Ralph Lauren merchandise to golf clubs. The links began immediately following a div element titled "footer_column".
All of the links, which included domains registered through a variety of different countries and companies, were hosted on a server in Istanbul by a company called "Sayfa Net", which in turn leases its infrastructure from a host called Radore Hosting. Many of the domains are known spam domains. The domain registrations show classic spam behavior; a single registration would have a registrar in one country, the registrant in another country and would included an email address to a free email service, like gmail. Companies with even the least stringent fraud protection would prevent an automated domain sale under such circumstances. It is very difficult to track down the source of spam using domain registrations in this manner, as those using them are savvy enough to nearly always rely on either a stolen identity or a completely fraudulent identity. More on that soon.
|Landing page for floridatrustonline.com demonstrating spam links|
|Google warning message displayed for floridatrustonline.com|
|code embedded in floridatrustonline.com that opened connections to malicious scripts|
Readers will most likely be familiar with Alibaba - their 2014 IPO was the biggest IPO of all time. ExoClick is similarly a heavy hitter in the world of online commerce, though US readers may not be as familiar with them. Based in Spain, ExoClick's affiliate network made the top 500 Alexa list in 2011, an accomplishment they share with the likes of Google, Ebay and Wikipedia.
I realize this is a huge claim. Let's break down the technical details that lead me to this determination.
We start on the floridatrustonline.com landing page. From there, the malicious code in the header of the page sends visitors to one of two websites, both of which are hosted on the same server by IP address 184.108.40.206. One of these two websites - googleframe.net - executes a file called "wat.cgi?13" that forces the user's browser to open a window which sends the users to ExoClick. Exoclick then immediately forwards the traffic to Alibaba. This process occurs in a single request using an iframe:
|The content of "wat.cgi?13" that sends users to Alibaba by way of ExoClick|
|The content of "tijaq.cgi?18"|
Just to avoid confusion as to the ownership of the sites profiting from this traffic, ,the domain registrations and IP assignments are not obfuscated or consistent with fraud:
$ host s.click.aliexpress.com s.click.aliexpress.com has address 220.127.116.11 s.click.aliexpress.com has address 18.104.22.168 NetRange: 22.214.171.124 - 126.96.36.199 CIDR: 188.8.131.52/18 NetName: ALIBABA-US-CDN OriginAS: AS45102 Organization: Alibaba.com LLC (AL-3) Ref: http://whois.arin.net/rest/net/NET-198-11-128-0-1 NetRange: 184.108.40.206 - 220.127.116.11 CIDR: 18.104.22.168/19 NetName: ALIBABA-US-NET OriginAS: AS45102 Organization: Alibaba.com LLC (AL-3) Comment: http://www.alibaba.com Ref: http://whois.arin.net/rest/net/NET-205-204-96-0-1 Domain Name: aliexpress.com Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2014-10-28T12:38:28-0700 Creation Date: 2006-04-16T11:16:46-0700 Registrar Registration Expiration Date: 2016-04-16T11:16:46-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.2083895740 Registrant Name: Timothy Alexander Steinert Registrant Organization: Hangzhou Alibaba Advertising Co., Ltd.(杭州阿里巴巴广告有限公司) Registrant Street: No. 699 Wangshang Road , Binjiang District Registrant City: Hangzhou Registrant State/Province: Zhejiang Registrant Postal Code: 310052 Registrant Country: CN Registrant Phone: +852.22155100 Registrant Phone Ext: Registrant Fax: +852.22155200 Registrant Email: firstname.lastname@example.org Name Server: nsp.alibabaonline.com Name Server: nshz.alibabaonline.com Name Server: nsp2.alibabaonline.com Name Server: ns8.alibabaonline.com
$ host syndication.exoclick.com syndication.exoclick.com has address 22.214.171.124 Domain Name: EXOCLICK.COM Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Registrar Registration Expiration Date: 2015-09-01T12:21:42Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.4806242505 Registrant Name: Benjamin Fonze Registrant Organization: EXOCLICK, S.L. Registrant Street: Marina 16-18 Registrant Street: 18B Registrant City: Barcelona Registrant State/Province: Barcelona Registrant Postal Code: 08005 Registrant Country: Spain Registrant Phone: +34.671646725 Registrant Email: firstname.lastname@example.org Name Server: NS1.P23.DYNECT.NET Name Server: NS2.P23.DYNECT.NET Name Server: NS3.P23.DYNECT.NET Name Server: NS4.P23.DYNECT.NET
Note that the Exoclick IP is registered to a company called ISPrime, a hosting provider in New Jersey. I tried to check for a subdelegation, but their RWHOIS times out:
$ whois 126.96.36.199 [redacted] Found a referral to rwhois.isprime.net:4321. Timeout.
None of this behavior will strike sysadmins or security professionals as particularly unique or not-worthy; this is an almost text-book example of monetizing a website defacement. What is newsworthy about this is the organizations involved, and their reaction.
At some point, the Florida Local Government Investment Trust, the Florida Association of Court Clerks, their hosting provider DreamHost, some third-party tech support or some combination thereof became aware that floridatrustonline.com had been compromised. Remember how I mentioned that over 100 files forwarding visitors to online pharmacies had been uploaded? Originally these files were scattered throughout the web root directory of floridatrustonline.com. Someone rounded up all of these files and placed them in a subdirectory called "/burnt/", where they remain right now, and are still indexed by Google:
|Malicious files remain hosted on floridatrustonline.com/burnt/|
The malicious scripts on the landing page index.html were removed. It makes little sense for the individual or group who hacked floridatrustonline.com to make these changes. Their own websites continue to host malicious scripts forwarding to ExoClick & Alibaba. Removing the malicious forwards from index.html is consistent with restoring a backup version of the file, an action usually performed by the hosting provider (in this case DreamHost) at a customer's request.
To the best of my knowledge, the Securities and Exchange Commission does not explicitly require corporations to disclose so-called "cyber attacks" (as an aside I find it amusing how everyone in government and no one outside of government uses the prefix "cyber-"); however, disclosure of hacking could be required by rules that govern risks and incidents that an "investor would consider important to an investment decision":
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. - Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2The Florida Trust is an organization that manages millions of dollars of tax payer funds. At the very least, such a substantial security breach of their primary online presence should not be swept under the rug. Preventing a disclosure of these events to Florida tax payers is at best completely unethical. (Florida Statutes §§ 501.171, 282.0041, 282.318(2)(i) also apply to these sorts of disclosures - there is a whole host of regulations that may apply to this sort of thing that I can't explain very well because I am not a lawyer).
Furthermore, this traffic has identified that two very large companies - ExoClick and Alibaba Group - are relying on advertising methodology that is illegal. There is no other reasonable explanation for the malicious files pointing directly at the advertising networks of ExoClick and Alibaba. I realize the gravity of this accusation; and I feel it necessary to clarify it a bit.
I have no evidence that proves Alibaba Group is aware that the traffic they receive from ExoClick is, in essence, stolen from websites like floridatrustonline.com. In fact, I find it most likely that Alibaba Group has no idea that what I have described here is occurring. As of this writing, alibaba.com is ranked 59th globally on Alexa, which is a very rough way of demonstrating that it is one of the most frequently visited websites on the planet. Organizations of that scale spend immense amounts of money on advertising, usually with several advertising firms like ExoClick. Identifying, tracking and making sense of the source of all of the traffic that comes pouring in is an incredibly complex task. Organizations like Google have hired some of the smartest computer engineers alive to tackle that task - and the solutions required frequently terrify people when they learn how invasive such tracking must be to be effective and have lead to class-action lawsuits. So to some degree I sympathize with Alibaba Group.
With that said, the evidence I have uncovered strongly suggests that Alibaba Group money is financing the hackers behind the floridatrustonline.com defacement. Alibaba Group owes the public - and in particular the voters of Florida - in explanation as to why their due diligence has failed to detect this issue before I did. Im just a guy with a computer. It would have been much easier for Alibaba Group to track this sort of activity than it was for me.
ExoClick is in a much less morally ambiguous position. ExoClick is an affiliate advertising network. You sign up for an account and they provide you with a code to embed within your website (or in this case, a series of hacked websites). Every time someone clicks on the code, ExoClick pays you. ExoClick is proud to help their users set up "pop-unders" like we saw on floridatrustonline.com:
|ExoClick is proud to ruin your online experience|
Under the best of circumstances, this sort of browser behavior has been considered unethical by developers for decades. Its remarkable to see something so contrary to good internet stewardship presented as a normal business practice, as ExoClick does on their website.
For any members of law enforcement that may be reading, it is certain that ExoClick can lead you directly to the individual or group that hacked floridatrustonline.com; they will have a payment history established for googleframe.net and bwinpoker24.com.
|ExoClick's means of transferring funds to "advertisers"|
ExoClick prohibits part of the behavior that the floridatrustonline.com hackers engaged in, specifically this part: "The use of any tools that artificially generate impressions or clicks are not permitted." I think it interesting that the guidelines to do not mention any restrictions on spamvertising or the use of hacking or botnets. The guidelines prohibit publishers from "promoting" hacking, but not actually hacking.
|ExoClick's publisher guidelines; note that the use of hacking & botnets are not prohibited|
|Another victim of the floridatrustonline.com / googleframe.net hackers seeks support from Wordpress|
I have additional notes and research available to interested parties upon request. If you feel I have posted something here that is inaccurate or unfair, contact me and let me know how I have made a mistake - if I have printed a factual error the likelihood of me complying with a civil correction request is 100%.