Your Fly Is Open

Netmenaces and Other Internet Stupidity

Maybe You Should Do More Research...

2016-06-01 7 min read Attacks

Everyone needs a hobby.

Mine is, I’ll admit, probably a bit odd. I collect justice… or at least the small morsels of justice I’m able to eek out of this increasingly unjust world.

My justice “collection” includes - quite literally - hundreds of websites, servers, and systems that I’ve managed - over the years - to get “unhacked” by notifying the folks who own them and, as a result, taking them away from the folks who… well… 0wn them.

At times, it becomes soul-sucking drudgery - I feel like a modern day Cassandra, telling the truth to people who just don’t want to hear. Today, however, wasn’t one of those days. Today was FUN.

In the mornings, I fire up my little Chromebook and check the news, look at Twitter and Facebook, and then generally just putz around a bit on the ‘Net while everyone else is waking up and getting ready. One of my favorite “putzing around” activities is to fire off random Google searches to see what interesting stuff I can find. If you know what you’re doing, you can find lots of interesting things.

One of Google’s most under-rated features is the ability to search for specific content across a single site, or an entire Top Level Domain (TLD… i.e. all of the sites under .com, .net, .org, etc…) using the “site” keyword. For example, this morning, I fired off the following search:

site:.gov cheap buy online

That search looks for pages containing the words “cheap,” “buy,” and “online” within the .gov TLD.

The third “hit” within the search results looked like this:

The Capitol? Oh, crap…

Seriously? The Capitol’s website? Aw, hell…

I changed my search to:

site:capitol.gov

and found that there were dozens of “pages” added to the site selling term / “research” papers. (Note: they’re not really pages… they’re just a bunch of HTTP 307 Temporary Redirects that I believe are created by alterations to the code within the site… more on this later)

I followed several of the links and found that they would round-robin me to a couple of different sites:

Test #1

GET http://capitol.gov/init.php/essay-my-country/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Server: nginx
Date: Wed, 01 Jun 2016 13:15:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

Test #2

GET http://capitol.gov/init.php/walmart-research-papers/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmb=233380364.5.10.1464786413; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://essayfactory.uk/?ref_id=1076
Server: nginx
Date: Wed, 01 Jun 2016 13:34:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://essayfactory.uk/?ref_id=1076
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

Sonofabitch…

Normally, this is the time that I would fire off an email or a tweet to the folks running the capitol.gov website and go about my day having a little less faith in humanity. Seriously!?!? They hacked the Capitol’s website just to make a frickin’ buck off of “research papers.”

I decided to do a little checking into SpeedyPaper and EssayFactoryUK. Turns out, they both have Twitter accounts, and while the EssayFactory one is pretty much unused, the SpeedyPaper account is very active.

I was more than a little peeved at what I’d found, so I decided to call the SpeedyPaper people out – at the same time I was letting the U.S. Capitol folks know that they’d been 0wned.

Tweet #1

After a few minutes, the SpeedyPaper people actually responded:

Tweet #2

Now, far be it from me to be to call into question the moral character of someone who makes their living selling term / “research” papers on the Internet, but I did find myself wondering exactly what kind of “checking” they might be doing…

It didn’t take long to find out… and just for fun, I’m going to attempt to caption what I believe the thought process was behind the “moves” I saw taking place.

Disclaimer: I can’t possibly know what the people at SpeedyPaper were thinking. Hell, I can’t even claim to know THAT they were thinking. This can, at best, be considered a work of really crappy near-term historical/speculative fiction.

Scene: Someone’s dank, musty basement. In the background, 1,000,000 monkeys sit, pounding away at typewriters and flinging their feces. A man of indeterminate age sits alone, shrouded in shadows, speaking aloud - either to himself, or the monkeys:

SpeedyPaper : Holy crap! This incredibly insightful and likely extremely good-looking “tliston” fellow has pointed out that we are the direct SEO beneficiaries of, literally, dozens of hacked links on the U.S. Capitol’s website. It’s quite possible that the Government may become more than a bit miffed at us. We must DO something!

GET http://capitol.gov/init.php/dissertation-byu/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmb=233380364.5.10.1464786413; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
Server: nginx
Date: Wed, 01 Jun 2016 13:37:01 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fdissertation-byu%2F&utm_keyword=dissertation+byu
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d26ddac4638670fc8878c739a1861237c1464786359; spu=eyJpdiI6IlNORkNWUXJcL1ZJQ0hUT1wvd0dDVWVFdz09IiwidmFsdWUiOiJZK1dQZ3cwV1NTbjI2MVBhMWxkdkx3PT0iLCJtYWMiOiI5NDc4MGY0MzBhMzEwZTUzODQ0NjhkYTEwMmY5MjAwNzJlMTgyZGU0MDg4MjAzOThmMmY0NmFjODkwYzk5NTRhIn0%3D; spv=eyJpdiI6Ilk0SXNtZnhTZHgzMFpzaGc2bnZjcGc9PSIsInZhbHVlIjoiYkFnamV3OEYwcnp2ekJwdTVLSEF6Zz09IiwibWFjIjoiYmU4ZTExOWYzOTA5MGEwNTRjNzlkYTY2NTZmMzQyNDU1NjkzYWQ1OGU2NDE5NGE2ODQ4NDMxY2Y3ZDQ4YzkwOSJ9; spvis=eyJpdiI6IjZtaWU2SmROcFBjaWRpcWJaekY2OVE9PSIsInZhbHVlIjoiTXl3SjZPS0xQZ284T0g2K29ENDh6UT09IiwibWFjIjoiYjc3MDE5ODFlNWZlNDBmNTE1ZDJlMGYxNjFmMWU1NDEwODM3ODQ2NmI0MTIzMDA4ZDRmN2I1YTE4NjRjZmJhOCJ9; laravel_session_speedypaper=eyJpdiI6Ik5EdWJxcGZPZDlOcFJ0Z252S2drZ3c9PSIsInZhbHVlIjoibTE5QzVQRW9ST1wvYUJtZWNZa2w0VTBybUZGU2RlN0hPWmhLeVN4bTloUVRmdlwvNEJTWUZOVGJGeVFUMVd0RUtaUlVQN1NwVytcL2VENndIRjhKVlIrcFE9PSIsIm1hYyI6ImNkMmYyZjJjZDczZmE1NTA1OTY0ZGI0NTJlM2QwMGFmN2Q3NDk4NDUzN2FiNGVhYTRlMGI1NGNkMjk2YjU4MGQifQ%3D%3D

HTTP/1.1 302
 Redirect to: https://7essays.com/
status: 302
date: Wed, 01 Jun 2016 13:37:01 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: https://7essays.com
set-cookie: laravel_session_speedypaper=eyJpdiI6IjZ5eitRSk0wRWt3dU1tQzMwUEFNQ2c9PSIsInZhbHVlIjoielVTN05ZS01nY3VFWTU0cGVodmJjN0g1T0krN2hJcDlPa3RZb2h4N2JLSk44MTZsNytsU095TWhmQnZLRjRXY0JjdVBZemgxV0JnYkF5dFB3dFc0b3c9PSIsIm1hYyI6IjNmN2FjZTQxMmRlOTEyNzBiOTc4YzY0MmQ0NWZmY2ZhMmE2YTg4NjUwN2Q2M2FjODZkYjI1ZjBlOTkyODJjZWUifQ%3D%3D; expires=Wed, 01-Jun-2016 15:37:01 GMT; Max-Age=7200; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2ac30ed1006f10c9-ORD

Wait… wut? Did they just… redirect to some other term / research paper company? Was this a really crappy gambit at shifting the blame? If so, then that’s mighty suspicious behavior on the part of a company that will (in the very near future) claim that THEY are the victims here. Note: I never saw this behavior prior to them “checking” on things, but if it did exist, then their claim of victimhood becomes even more unbelievable…

I believe that things then proceeded thusly:

SpeedyPaper: Wait! What could we have been thinking! Redirecting these links to another term paper company is wrong! Not only is it wrong, but it might appear suspicious. Think, think, think… I’ve got to think! WOULD YOU DAMNED MONKEYS SHUT UP!?!? What shall we do? I know! Let’s redirect right back to the Capitol’s website… that will make everything better!

GET http://capitol.gov/init.php/essay-my-country/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=233380364.798512421.1464786413.1464786413.1464786413.1; __utmc=233380364; __utmz=233380364.1464786413.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 307 Temporary Redirect
 Redirect to: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Server: nginx
Date: Wed, 01 Jun 2016 13:41:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 20
Connection: keep-alive
Location: https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

GET https://speedypaper.com/?rt=3S5do2ix&utm_search_engine=google&utm_host=capitol.gov&utm_referrer=http%3A%2F%2Fcapitol.gov%2Finit.php%2Fessay-my-country%2F&utm_keyword=essay+my+country
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 7978.76.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.104 Safari/537.36
Referer: https://www.google.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d26ddac4638670fc8878c739a1861237c1464786359; spu=eyJpdiI6IlNORkNWUXJcL1ZJQ0hUT1wvd0dDVWVFdz09IiwidmFsdWUiOiJZK1dQZ3cwV1NTbjI2MVBhMWxkdkx3PT0iLCJtYWMiOiI5NDc4MGY0MzBhMzEwZTUzODQ0NjhkYTEwMmY5MjAwNzJlMTgyZGU0MDg4MjAzOThmMmY0NmFjODkwYzk5NTRhIn0%3D; spv=eyJpdiI6Ilk0SXNtZnhTZHgzMFpzaGc2bnZjcGc9PSIsInZhbHVlIjoiYkFnamV3OEYwcnp2ekJwdTVLSEF6Zz09IiwibWFjIjoiYmU4ZTExOWYzOTA5MGEwNTRjNzlkYTY2NTZmMzQyNDU1NjkzYWQ1OGU2NDE5NGE2ODQ4NDMxY2Y3ZDQ4YzkwOSJ9; spvis=eyJpdiI6IjZtaWU2SmROcFBjaWRpcWJaekY2OVE9PSIsInZhbHVlIjoiTXl3SjZPS0xQZ284T0g2K29ENDh6UT09IiwibWFjIjoiYjc3MDE5ODFlNWZlNDBmNTE1ZDJlMGYxNjFmMWU1NDEwODM3ODQ2NmI0MTIzMDA4ZDRmN2I1YTE4NjRjZmJhOCJ9; laravel_session_speedypaper=eyJpdiI6Ilpob2VoTEpTV2ZYMGRQMlwvXC9OTStwdz09IiwidmFsdWUiOiIycnFnbXVJdEJrNzZmdTJZZ2UrTjNKbDk0cjI0YjVnRm9TN0NHbHRaS2JzR1hmd2xxZ1wvQTRjMklGU2gySDFMaEJGVmtYSW9nSEswV1wvclQwWmN6TlpnPT0iLCJtYWMiOiI1NGExMWJmMmVjMTlmM2Y0Nzg4MDdjNWY2Nzk4YjNiMDVkZjRhMDI2ZGZjZjk0YjEwYzExZWNkNmQ5ZWZlMzllIn0%3D

HTTP/1.1 302
 Redirect to: http://capitol.gov/
status: 302
date: Wed, 01 Jun 2016 13:41:07 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache
location: http://capitol.gov
set-cookie: laravel_session_speedypaper=eyJpdiI6IjJ6dlZzeGk4WlMyeVwvbUxFUFZmYzNRPT0iLCJ2YWx1ZSI6Ik53NHBFcStRYVd0QzZUYU9GNnYwYytNQTNOOFEzR3YxemdWQWMyNkJBdFdYV3BxR2VSS0lYaGNtck1PQ20zcEJ2TGZvVCtPQlkxczFoc3BBMHZuck1nPT0iLCJtYWMiOiJlYTQ4MmI4NDVhZmQ1ZWZjZTkzNTA4MGQzYTUxNzhhNzQ4OWZjMDFjNDVlMTNlMDMxMzk1ZTBhNmE2NjFmNTJjIn0%3D; expires=Wed, 01-Jun-2016 15:41:07 GMT; Max-Age=7200; path=/; httponly
x-prerender-token: fbDlD1S9rFH3au9KfiDK
strict-transport-security: max-age=63072000; includeSubdomains;
x-content-type-options: nosniff
server: cloudflare-nginx
cf-ray: 2ac314d3d37910c9-ORD

Now that everything is right with the world, they fire off another tweet to which I respond:

Tweet #3

So, they do some ‘splaining…

Tweet #4

Ah… it’s their EEEEEeeevil competitors that have done this to them.

Tweet #5

Now, I’m not saying that it couldn’t be their competitors - hey… anything is possible. I’m just saying that the circumstantial evidence here makes the burden of proof - for me - a bit higher than saying “we’re innocent.”

That whole redirect to 7essays thing? If it was happening all along (and I just never triggered it…) then that’s… well… problematic for your whole “we’re innocent” defense. And if it was the result of you “checking” things then… well… that’s problematic for your whole “we’re innocent” defense too. Just sayin’…

But SpeedyPaper hasn’t got a clue about how much I know. And they’re still trying to convince me that they’ve been framed:

Tweet #6

Finally, since they’re been twitter-bombed via all the back-n-forth with SpeedyPaper, the Capitol folks show up:

Tweet #7

And I get to pin one more tiny piece of justice on my wall…

Hey, SpeedyPaper… packets don’t lie. Research that.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 1, 2016