Your Fly Is Open

Netmenaces and Other Internet Stupidity

Happy New Year!

2025-09-18 3 min read Attacks

Happy New Year!

Today, September 18, 2025, is the 261st day of 2025, but for me, it’s December 31.

For anyone who’s been following my journey to accomplish my New Year’s Resolution, that statement might make sense. Today, I contacted my 365th organization, informing them that their web server has been compromised and is serving questionable content. My goal to identify one hacked system and notify its owner for each day in 2025 is complete.

Based on calculations performed by an AI, a reasonably conservative estimate of the financial impact of this adventure lies somewhere between $547,500.00 and $1,104,125.00.

Not too bad for some old, retired dude sitting on his couch.

What sort of exotic tools allowed me to have that impact? Google.

Yep, Google.

You see, the vast majority of the organizations I contacted had their web servers hacked by scammy folks trying to boost their search engine placement - all to sell more supplements, Roblox hacks, TikTok follower generators, ways to see private Instagram accounts, or tools to generate AI porn.

Pretty seedy stuff that no one wants associated with their organization.

Suppose you know what vulnerabilities the SEO hackers are using to add new pages to sites (and therefore, where those pages will land). Suppose you also know the verbiage they’re using to seed their campaigns to search engines.

It becomes remarkably easy to find hacked websites on Google.

Then you face your next problem: finding someone to tell.

Suppose someone places new, inappropriate pages on your website, and you’re not watching your web server logs closely enough to see those pages being served. Do you also monitor your feedback forms or general email address for security incident reports from some crazy old guy on his couch?

I’m going to say, “No.”

I did my best to get their attention. In some cases, I’ve even resorted to narking to financial industry regulators to get something done. I estimate that between 60%-80% of the sites have been cleaned, and I’ll go back through my list and keep trying on the rest.

It’s exhausting.

I’m going to wrap up this little project by preaching to the choir, telling the absolutely wrong people the right information:

  • Monitor your web server logs. If you see a page being served that you don’t recognize, investigate.

  • Publish a “security.txt” file on your website (see RFC-9116) and monitor the contact address (out of 365 organizations, 3 had a “security.txt” file; I almost fainted when I saw one).

But you knew all of that, didn’t you?

And, just because:

We’ll Drink A Cup of Kindness Yet,
for Auld Lang Syne…

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2025

Notification Uh-Oh
© 2025 by Tom Liston
Bilberry Hugo Theme