Monday, September 10, 2007

A month ago, my blog was hijacked by spammers for a few days

About a month ago (just before my vacation), several people notified me, that my blog has been hijacked by spammers. Wassim Melhem even created a bugzilla entry (which was a great idea!).

Spammers replaced my blog with their stuff including a new pink layout. If you want to see it: scharf.gr/hijacked_blog (I don't link it from here, but you can paste the link into your browser).

Google/blogger.com recognized that my blog was spam and they locked my account (I was still able log in but I could not add new blog entries). All my old bog entries were gone. I send some mail to Google and after a day or so they restored my old blog and apologized.

But how could they get into my blog? I don't think they were able to guess my username/password, because it was pretty safe. Else I guess, they would have changed my password. Looking at the spam blog, I just realized that the same content is there two times (looks like pasting it two times). I think, they just replaced the entire blog template with their crap. I see two possibilities how they could have done it:
  • They hacked into the blogger server and did it from inside. In this case other blogs would have been hijacked too.
  • They used some clever javascript that navigated to my blogger template site and they dumped their stuff. Because my blogger account is my google account and I was lazy logging out, a script could possibly have done that. Changing the template is much simpler than creating a new blog entry, because there is no "enter the text from the scrambled image" type of verification needed.

Do you have other theories how this could happen?

There is a interesting new type of spammer attack: they use pieces of real blogs in their spam blogs to make their spam blog appear "real". Marko Schulz has sent me a link, but that spam blog is fortunately gone....

Talking about spam: since a week I get much less e-mail spam (on some of my accounts) than I used to get (tens instead of hundreds per day). Maybe spammers started thinking about spam efficiency: to get most out of their spam bot nets they concentrate on Internet newbies. Therefore it pays off for them to eliminate e-mails that are in their lists for years. The probability that someone who is new to the Internet believes the spam is much higher than for experienced users. If they would mostly attack new e-mail addresses, they would also get out of focus of the experts who are fighting spam and therefore have a much higher success rate in delivering spam. In addition, if spam is sent in low volume, spam defense would probably miss new variations of spam. Or is there another explanation for this decease in spam?

5 comments:

  1. Hi Michael!

    I still see the "spam blog". I also don't want to post the direct link here to prevent them from getting a better google karma, but to see the page you can still concat http://ho5e.hotelrevie and wss.com/Blog-comments-my-mistakes-and-good-feedback/

    ReplyDelete
  2. Did you ever blog while connected via WLAN? There is a known attack which just copies your cookie. With that, the spammers can identify themselves on the server and do anything you could do upto the point where the server would ask for your password again.

    Morale: always log out after blogging via hotspots.

    ReplyDelete
  3. Hi Aaaron
    I don't think I bloged with a WLAN, but I was googeling and since it's the same account, that's a possible explalination. Although, at the time this happened I was not using a WLAN...

    Michael

    ReplyDelete
  4. Oh.... and I thought it was you the whole time! :-p

    Seriously though, welcome back Michael!

    ReplyDelete
  5. I seem to be getting this question asked more and more - about why a person'ts blog is hijacked and what they can do about it.

    Some people even blame Google but I don't think it is their fault.

    Its just like getting spam mail. Even though there are things that you can do to decrease getting spam email you can't seem to stop it altogether

    ReplyDelete