Hackers Exploit Legacy Software to Spread Malicious Sites

Cybercriminals are exploiting an obsolete content management system (CMS) editor, discontinued 14 years ago, to manipulate search results and direct users to malicious or fraudulent websites.

The primary strategy of these malefactors involves the use of so-called open redirects, which allow for the redirection of visitors from a legitimate site to an external URL without proper security verification. This mechanism enables the conduct of phishing attacks, the dissemination of malware, and the imitation of trusted domains, thereby increasing the chances of circumventing security filters.

The vulnerability in FCKeditor, a once-popular web editor that enabled users to edit HTML content directly on the webpage, has facilitated these attacks. The editor was renamed and updated in 2009. Despite the introduction of a more modern version named CKEditor, some institutions continue to use the outdated version, leading to current vulnerabilities.

Cybersecurity specialist “@g0njxa” identified the campaign after detecting malicious links in Google search results posted on university websites. The affected institutions include MIT, Columbia University, the University of Barcelona, and the University of Washington, as well as governmental and corporate sites, including the Virginia government’s website and the city of Austin in Texas.

Fraudsters create static HTML pages under legitimate domains to “poison” search engine results with malicious links (SEO Poisoning). For instance, one such page poses as an article about tinnitus medication but, in reality, promotes other pages that can redirect the victim to malicious sites.

Software developers have stated that FCKeditor became obsolete in 2010 and its use has since been discouraged. Nonetheless, it is not uncommon for university and government websites to continue using software that was discontinued many years ago, exposing them to the risk of cyberattacks.