The H-Online: Online forums have, for some time, apparently been the target of hackers who inject additional code. However, the attackers aren’t interested in publishing cool slogans or political messages, they’re looking for money. They steal Google traffic from the forums and exploit this traffic via ads. Their main targets appear to be forums that are based on the vBulletin software.
Unlike the “Look how cool I am” crackers, these attackers have very discreet working methods. They hide their code deeply within the system and ensure that their redirections don’t attract much attention. Only users who visit forum pages for the first time via a search engine such as Google are redirected to a url123.info URL. This site initially displays a strange blocking alert (“Access denied”) followed by some arbitrary text and then loads a full-page ad by InfinityAds. The ads are probably a direct source of income for the intruders even though each ad is only worth a few pennies. However, as some forum operators have reported that their traffic has dropped by more than 70 per cent, and the phenomenon seems to be a rather wide-spread one, the overall yield is likely to be considerable.
Forum owners and regular forum users who access the pages directly never encounter the redirection. Neither will those who try to reproduce the issue by repeatedly clicking through to the forum via Google be redirected, because a cookie already exists for the page. One way of reliably reproducing the redirection is to carry out a search with a browser in private or anonymous mode.
The German Typo3 forum is among the forums currently affected but some other reports date back several months. The precise cause remains unclear. Various contributors suspect a connection to vbSEO – a search engine optimization extension. It appears that this extension was compromised in a way that allowed attackers to install malicious plug-ins via the forum administrator’s account. In their FAQs, the vbSEO developers have provided a tool for testing vBulletin installations. The vBulletin support team recommends a slightly more generic vBulletin test.