The Florida Local Government Investment Trust website was hacked by a spammer affiliated with ExoClick & Alibaba Group & they haven't told anyone

The Florida Local Government Investment Trust manages money for counties and clerks throughout the state of Florida. They handle bonds that are AAA rated by S&P; pooling assets for municipalities throughout the state to increase their buying power. The Trust was created in 1991.

The Florida Local Government Investment Trust maintains a website based on Wordpress, floridatrustonline.com (I highly recommend that readers do not visit the website from an unsecured browser/computer - preferably using a platform like TAILS). The website contains a description of the Trust, the legislation under which it carries its mandate (Florida Statute 218.415 (16) (a) and 163.01), a list of employees and trustees as well as a series of financial reports covering the last year. The floridatrustonline.com domain is registered to Earl Donaldson, an employee of the Florida Association of Court Clerks. Donaldson's LinkedIn page lists him as a Network Engineer. The website is hosted on a shared hosting server operated by Dreamhost.

Starting no later than March of this year, floridatrustonline.com was compromised. Each document on the site was embedded with links to sales websites that claimed to sell everything from Ralph Lauren merchandise to golf clubs. The links began immediately following a div element titled "footer_column".

All of the links, which included domains registered through a variety of different countries and companies, were hosted on a server in Istanbul by a company called "Sayfa Net", which in turn leases its infrastructure from a host called Radore Hosting. Many of the domains are known spam domains. The domain registrations show classic spam behavior; a single registration would have a registrar in one country, the registrant in another country and would included an email address to a free email service, like gmail. Companies with even the least stringent fraud protection would prevent an automated domain sale under such circumstances. It is very difficult to track down the source of spam using domain registrations in this manner, as those using them are savvy enough to nearly always rely on either a stolen identity or a completely fraudulent identity. More on that soon.

Landing page for floridatrustonline.com demonstrating spam links

I begin by pointing out this specific change to the website because of how obvious it was. Anyone who visited the front page of the website and scrolled down would be able to see this. It would not take any sort of complex security audit to reveal a compromise. It would be obvious that the site has been hacked even to completely non-technical users with no access to the site other than anonymous browsing. I mention this because the site remained defaced for a significant length of time. floridatrustonline.com continues to host malicious files - the site has continued to host malicious files for at least four months, despite efforts to sanitize the site. Adding insult to injury, Google was announcing the site as hacked as early as March 14th:

Google warning message displayed for floridatrustonline.com

In addition to the embedding, over 100 files were uploaded in the root and throughout several subdirectories of floridatrustonline.com. Many of these files contained web scripts that forced those who opened them to visit online pharmacies.

There was more to the hack then just embedding bad links in the footer of documents. Above the header of several files, including the landing page index.html, a bit of javascript checked to determine the User Agent string sent by a website visitor and executed one of two scripts based on the reply. Websites can determine what kind of browser someone uses based on the User Agent string (some browsers and savvy users modify the User Agent string to prevent them from being identified using this bit of information).

code embedded in floridatrustonline.com that opened connections to malicious scripts

The gist of the code above is that if your browser matches any of those in a list, you are referred to a CGI script on a website owned by the person or group that hacked the Florida Trust site, who then forwards you to an advertising affiliate network named ExoClick who finally hands over the traffic to a sales page on Alibaba. The upshot of this is that these hackers are a paid affiliate of ExoClick, who is selling the traffic that the hackers steal from Florida Trust (and a number of other websites) to Alibaba. In the world of blackhat and greyhat affiliate web marketing, the method used to hijack a users browser window to gain surreptitious click traffic is referred to as "popunder" or "clickunder". Even under the best circumstances - as when someone is putting popunders on their own website - it is widely considered spam and an unethical programming tactic. Posting such garbage on a hacked site escalates the practice to the realm of the obviously illegal.

Readers will most likely be familiar with Alibaba - their 2014 IPO was the biggest IPO of all time. ExoClick is similarly a heavy hitter in the world of online commerce, though US readers may not be as familiar with them. Based in Spain, ExoClick's affiliate network made the top 500 Alexa list in 2011, an accomplishment they share with the likes of Google, Ebay and Wikipedia.

I realize this is a huge claim. Let's break down the technical details that lead me to this determination.

We start on the floridatrustonline.com landing page. From there, the malicious code in the header of the page sends visitors to one of two websites, both of which are hosted on the same server by IP address 37.9.53.124. One of these two websites - googleframe.net - executes a file called "wat.cgi?13" that forces the user's browser to open a window which sends the users to ExoClick. Exoclick then immediately forwards the traffic to Alibaba. This process occurs in a single request using an iframe:

The content of "wat.cgi?13" that sends users to Alibaba by way of ExoClick

The second website also sends users to Alibaba, but uses a different methodology to do so. This second methodology also appears to cut ExoClick out of the connection. Remember that users get sent to "wat.cgi?13" if their browser matches a pre-specified list. Many browsers place restrictions on the execution of off-domain iframes by default, which explains why two different methods are used. It is unclear whether the hackers are using a different affiliate network to collect payment for this traffic.

With the second method, users are forced to load a javascript file - "click7.js" on a website called bwinpoker24.com. Instead of directly opening a new window like "wat.cgi?13" in our last example, this javascript file loads a cookie which in turn forces the launch of yet another website in a new window. This behavior avoids many of the iframes prohibitions mentioned previously. The website loaded in the new window is googleframe.net, but it loads a new file this time - "tijaq.cgi?18".

The content of "tijaq.cgi?18"

Notice how this time we go directly to Alibaba's website rather than using ExoClick's website in a referral URL. This may indicate that the hackers are selling this traffic directly to Alibaba, or using an affiliate network other than ExoClick as an intermediary, or ExoClick allows a server-side application to count traffic for reimbursement.

Just to avoid confusion as to the ownership of the sites profiting from this traffic, ,the domain registrations and IP assignments are not obfuscated or consistent with fraud:

$ host s.click.aliexpress.com
s.click.aliexpress.com has address 198.11.136.52
s.click.aliexpress.com has address 205.204.96.48

NetRange:       198.11.128.0 - 198.11.191.255
CIDR:           198.11.128.0/18
NetName:        ALIBABA-US-CDN
OriginAS:       AS45102
Organization:   Alibaba.com LLC (AL-3)
Ref:            http://whois.arin.net/rest/net/NET-198-11-128-0-1

NetRange:       205.204.96.0 - 205.204.127.255
CIDR:           205.204.96.0/19
NetName:        ALIBABA-US-NET
OriginAS:       AS45102
Organization:   Alibaba.com LLC (AL-3)
Comment:        http://www.alibaba.com
Ref:            http://whois.arin.net/rest/net/NET-205-204-96-0-1

Domain Name: aliexpress.com
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-10-28T12:38:28-0700
Creation Date: 2006-04-16T11:16:46-0700
Registrar Registration Expiration Date: 2016-04-16T11:16:46-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Registrant Name: Timothy Alexander Steinert
Registrant Organization: Hangzhou Alibaba Advertising Co., Ltd.(杭州阿里巴巴广告有限公司)
Registrant Street: No. 699 Wangshang Road , Binjiang District
Registrant City: Hangzhou
Registrant State/Province: Zhejiang
Registrant Postal Code: 310052
Registrant Country: CN
Registrant Phone: +852.22155100
Registrant Phone Ext:
Registrant Fax: +852.22155200
Registrant Email: dnsadmin@hk.alibaba-inc.com
Name Server: nsp.alibabaonline.com
Name Server: nshz.alibabaonline.com
Name Server: nsp2.alibabaonline.com
Name Server: ns8.alibabaonline.com

---------------------------------------------------------------------------------------------------------------------

$ host syndication.exoclick.com
syndication.exoclick.com has address 64.111.199.222

Domain Name: EXOCLICK.COM
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Registrar Registration Expiration Date: 2015-09-01T12:21:42Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Registrant Name: Benjamin Fonze
Registrant Organization: EXOCLICK, S.L.
Registrant Street: Marina 16-18
Registrant Street: 18B
Registrant City: Barcelona
Registrant State/Province: Barcelona
Registrant Postal Code: 08005
Registrant Country: Spain
Registrant Phone: +34.671646725
Registrant Email: contact@exoclick.com
Name Server: NS1.P23.DYNECT.NET
Name Server: NS2.P23.DYNECT.NET
Name Server: NS3.P23.DYNECT.NET
Name Server: NS4.P23.DYNECT.NET

Note that the Exoclick IP is registered to a company called ISPrime, a hosting provider in New Jersey. I tried to check for a subdelegation, but their RWHOIS times out:

$ whois 64.111.199.222
[redacted]
Found a referral to rwhois.isprime.net:4321.

Timeout.

None of this behavior will strike sysadmins or security professionals as particularly unique or not-worthy; this is an almost text-book example of monetizing a website defacement. What is newsworthy about this is the organizations involved, and their reaction.

At some point, the Florida Local Government Investment Trust, the Florida Association of Court Clerks, their hosting provider DreamHost, some third-party tech support or some combination thereof became aware that floridatrustonline.com had been compromised. Remember how I mentioned that over 100 files forwarding visitors to online pharmacies had been uploaded? Originally these files were scattered throughout the web root directory of floridatrustonline.com. Someone rounded up all of these files and placed them in a subdirectory called "/burnt/", where they remain right now, and are still indexed by Google:

Malicious files remain hosted on floridatrustonline.com/burnt/

The webserver parses these files as webscripts. It is not unusual to configure a web server to parse HTML files as PHP or vice versa. It is unusual to parse PDF files in this manner. I was able to execute these files in a browser; the files attempted to save cookies on my computer and redirect me to another server (similar to the behavior described above). To continue to host these files represents a serious professional oversight.

The malicious scripts on the landing page index.html were removed. It makes little sense for the individual or group who hacked floridatrustonline.com to make these changes. Their own websites continue to host malicious scripts forwarding to ExoClick & Alibaba. Removing the malicious forwards from index.html is consistent with restoring a backup version of the file, an action usually performed by the hosting provider (in this case DreamHost) at a customer's request.

To the best of my knowledge, the Securities and Exchange Commission does not explicitly require corporations to disclose so-called "cyber attacks" (as an aside I find it amusing how everyone in government and no one outside of government uses the prefix "cyber-"); however, disclosure of hacking could be required by rules that govern risks and incidents that an "investor would consider important to an investment decision":

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. - Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2

The Florida Trust is an organization that manages millions of dollars of tax payer funds. At the very least, such a substantial security breach of their primary online presence should not be swept under the rug. Preventing a disclosure of these events to Florida tax payers is at best completely unethical. (Florida Statutes §§ 501.171, 282.0041, 282.318(2)(i) also apply to these sorts of disclosures - there is a whole host of regulations that may apply to this sort of thing that I can't explain very well because I am not a lawyer).

Furthermore, this traffic has identified that two very large companies - ExoClick and Alibaba Group - are relying on advertising methodology that is illegal. There is no other reasonable explanation for the malicious files pointing directly at the advertising networks of ExoClick and Alibaba. I realize the gravity of this accusation; and I feel it necessary to clarify it a bit.

I have no evidence that proves Alibaba Group is aware that the traffic they receive from ExoClick is, in essence, stolen from websites like floridatrustonline.com. In fact, I find it most likely that Alibaba Group has no idea that what I have described here is occurring. As of this writing, alibaba.com is ranked 59th globally on Alexa, which is a very rough way of demonstrating that it is one of the most frequently visited websites on the planet. Organizations of that scale spend immense amounts of money on advertising, usually with several advertising firms like ExoClick. Identifying, tracking and making sense of the source of all of the traffic that comes pouring in is an incredibly complex task.  Organizations like Google have hired some of the smartest computer engineers alive to tackle that task - and the solutions required frequently terrify people when they learn how invasive such tracking must be to be effective and have lead to class-action lawsuits. So to some degree I sympathize with Alibaba Group.

With that said, the evidence I have uncovered strongly suggests that Alibaba Group money is financing the hackers behind the floridatrustonline.com defacement. Alibaba Group owes the public - and in particular the voters of Florida - in explanation as to why their due diligence has failed to detect this issue before I did. Im just a guy with a computer. It would have been much easier for Alibaba Group to track this sort of activity than it was for me.

ExoClick is in a much less morally ambiguous position. ExoClick is an affiliate advertising network. You sign up for an account and they provide you with a code to embed within your website (or in this case, a series of hacked websites). Every time someone clicks on the code, ExoClick pays you. ExoClick is proud to help their users set up "pop-unders" like we saw on floridatrustonline.com:

ExoClick is proud to ruin your online experience

Under the best of circumstances, this sort of browser behavior has been considered unethical by developers for decades. Its remarkable to see something so contrary to good internet stewardship presented as a normal business practice, as ExoClick does on their website.

For any members of law enforcement that may be reading, it is certain that ExoClick can lead you directly to the individual or group that hacked floridatrustonline.com; they will have a payment history established for googleframe.net and bwinpoker24.com.

ExoClick's means of transferring funds to "advertisers"

Consider for a moment that any of these payment methods would require bank account information to receive in any significant amount. ExoClick's records could lead to a PayPal account, which would lead to either a real bank account or a stolen bank account.

ExoClick prohibits part of the behavior that the floridatrustonline.com hackers engaged in, specifically this part: "The use of any tools that artificially generate impressions or clicks are not permitted." I think it interesting that the guidelines to do not mention any restrictions on spamvertising or the use of hacking or botnets. The guidelines prohibit publishers from "promoting" hacking, but not actually hacking.

ExoClick's publisher guidelines; note that the use of hacking & botnets are not prohibited

I should point out here that, as with Alibaba Group, nothing here represents a "smoking gun" that shows that ExoClick deliberately conspired with the floridatrustonline.com hackers. ExoClick's responsibility is more readily apparent than Alibaba's for a few reasons. First, it is almost certain that at some point ExoClick was directly paying the floridatrustonline.com hacker(s). It is much easier to know your contractor - as ExoClick should have - than it is to know your contractor's affiliate - as Alibaba should have. Second, according to ExoClick guidelines, ExoClick employees would have been required to communicate directly with the floridatrustonline.com hacker(s): "New Publishers who reach their minimum payment must contact Customer Services (click “Contact” above and select the Publisher Payments department) to request the activation of the first payment." Finally, all ExoClick would have needed to do to see how awful this affiliate is would have been to put one of the domain names they were billing for through a search engine. Floridatrustonline.com is not the only website that was hacked by this group. I have identified several dozen other websites compromised by this same group - many of these sites have been complaining to Wordpress publicly for months that this specific hacker (or group) was using a vulnerability in a Wordpress theme to deface their websites:

Another victim of the floridatrustonline.com / googleframe.net hackers seeks support from Wordpress

I hope that pointing light on this event will compel the Florida Trust to implement greater transparency in their online disaster recovery practices. I hope Alibaba Group will begin to pay closer attention to who they do business with. I hope ExoClick will decide to join the rest of the successful advertising industry in adopting fraud prevention measures. And I hope that law enforcement uses my findings to hold the googleframe.net hackers responsible.

I have additional notes and research available to interested parties upon request. If you feel I have posted something here that is inaccurate or unfair, contact me and let me know how I have made a mistake - if I have printed a factual error the likelihood of me complying with a civil correction request is 100%.