Threat Management, Malware, Network Security, Phishing

Up to ‘old’ tricks: Hackers compromise Stanford University ‘Biology of Aging” website for months

A Stanford University website was reportedly compromised for four months without detection, allowing hackers to abuse it to host malicious web shells, phishing kits and defacement images.

According to a blog post published on Wednesday by UK-based Internet security company Netcraft, the website for the Paul F. Glenn Center for the Biology of Aging at Stanford University – part of the School of Medicine – was hacked on January 31, 2017. In the following months, multiple bad actors – many likely working individually – began uploading various malicious scripts onto the site, glennlaboratories.stanford.edu.

Stanford administrators promptly removed all of the malicious scripts found on the WordPress-based website after Netcraft disclosed the intrusion, the blog post reported. It is unclear how the site was compromised in the first place.

During the initial compromise, an adversary hid a simple PHP-based web shell in the top-level directory of the website. Then on May 14, someone uploaded a second web shell -- this one a WSO or Web Shell by Orb that "displays directory listings and offers several other hacking tools that can be used to crack passwords and gain access to databases," Netcraft reported.

Netcraft also discovered multiple scripts and files designed to perpetrate spam mailer and phishing campaigns. Among them was an archive file installed in the top-level directory that deploys a Chinese phishing site targeting users of the Taiwanese Chunghwa Telecom Internet service.

Another pair of archives found uploaded on the site were designed to create phishing sites that steal the usernames and passwords of LinkedIn and Office 365 users. And yet another discovered archive contained a generic phishing kit that presents victims with a phony login error message that tricks them into trying various combinations of email addresses and passwords.

As late as May 29, a bad actor introduced still another phishing kit that presents victims with a fake login form for SunTrust Bank.

Netcraft also found two instances of hackers using HTML-based defacement pages to leave their mark on the compromised Stanford site. The first left the message "Hacked By Alarg53"  while the second presented an image a giggling face (with a resemblance to Anonymous' Guy Fawkes mask) and the message "Hacked By # T.F.S #".

"We were notified of the issue by Netcraft in late May and immediately contacted the School of Medicine's IT Department. They spent a day fixing the problem, which is now fully resolved. As far as we can determine, none of our data has been compromised," said a Stanford University spokesperson in response to an SC Media query.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.