Microsoft is the creator of Windows, having helped to lay the bedrock for what we know today as the World Wide Web. One would expect a founding father of cyberspace to provide ultimate security. But apparently that wasn’t the case when unknown attackers hacked the company’s Digital Constitution and embedded it with online gambling promotional material.
Digital Constitution was developed by Microsoft to help promote its long-running campaign against government surveillance of online activates. The site is devoted to protecting the privacy of internet users in today’s digital world. It has absolutely nothing to do with online gambling; or at least, it didn’t before casino spammers got ahold of it.
According to a recent publication on Network World, the Microsoft-owned website was hacked and “injected” with SEO and embeds to promote online gambling. It seems the hacker(s) were able to exploit the website due to its use of an outdated, and obviously vulnerable, version of WordPress.
ZDNet Reveals Digital Constitution Hacked w/Online Gambling Content
The incident was first reported by ZDNet, who posted a screenshot of embedded online gambling text and keywords. The report indicated that the “site appears to have modified around 9:15pm on Wednesday”. The online gambling related source code was still visible on the website’s backend at that time on June 18, but has since been removed.
At the base of the source code, where webmasters generally place strong keywords to support prime indexing in search engines like Google, was a list of online gambling related keywords and phrases. These included “online casino”, “craps”, “bonus”, “roulette”, “blackjack” and other similar expressions.
“Some new pages have been injected to show content that embeds content from other casino-related websites,” read the initial report. “The rest of the site’s content appears to be intact.”
ZDNet found that the Digital Constitution website was running WordPress version 4.0.5 at the time the attack was discovered, and had not received any contextual updates from Microsoft since April of 2015. However, in early May, a newer version of WordPress, 4.2.2, was issued as a ‘critical security release’.
Older Versions of WordPress Vulnerable to Cross-Site Scripting
According to WordPress, previous versions of 4.2 and under, “are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.” That certainly seems to be the case with Digital Constitution.
“Based on the kind of content injected into the site, it does not appear to be a cyberattack claimed by any particular group or hacker — more likely a scammer who’s able to exploit a weakness in an older version of the site’s software,” said ZDNet.
Dan Goodin of ARS Technica chimed in on the situation by pointing out that, “It’s not unusual for hack-by-numbers exploit kits to automatically inject malicious links into vulnerable pages that when viewed by vulnerable computers, perform driveby download attacks.”
When contacted for comment on the criminal injection of online gambling related SEO on Digital Constitution, Microsoft responded to ARS Technica with nothing more than the simple statement: “It’s fixed.”
There’s an obvious moral to the story here; two of them, in fact. Firstly, running a continuous anti-virus program is crucial for all web surfers, no matter how safe you think the websites you are visiting are (this is Microsoft, after all). And secondly, webmasters should be vigilant in keeping their WordPress files up to date.