Hacked government, college sites push malware via fake hacking tools

A large scale hacking campaign is targeting governments and university websites to host articles on hacking social network accounts that lead to malware and scams.

BleepingComputer first learned about this campaign after security intelligence firm Cyble shared a screenshot of the UNESCO.org site compromised to host an article on how to hack Instagram accounts.

Clicking on the embedded link brought you to a website that pretends to be an Instagram hacking tool that can hack into user's accounts.

If you try to use this tool, it goes through a series of fake steps, as illustrated in the video below, and ultimately tells you to download a file to finish the hack. Clicking the download link, though, redirects you to sites pushing malware, scams, and adware bundles.

Part of a larger successful hacking campaign

After learning of this compromise, BleepingComputer investigated further and found many other colleges, government, and organization sites hacked to promote fake hacking tools for Netflix, WhatsApp, Facebook, Instagram, TikTok, and Snapchat.

Some of the sites targeted in this campaign belong to government sites for San Diego, Colorado, Minnesota, as well as sites for UNESCO, the National Institutes of Health (nih.gov), National Cancer Institute (cancer.gov), Rutgers, University of Washington, Arizona State University, Rochester Institute of Technology, University of Iowa, Maryland University, and University of Michigan, 

From the samples observed by BleepingComputer, the threat actors exploit vulnerabilities in CMS platforms to insert their own hosted articles. One of the common methods we saw was to exploit Drupal's Webform component to upload PDFs with links to the fake hacking tools.

To make matters worse, the threat actors have successfully been able to perform blackhat SEO so that these 'hacking tools' are being promoted as the first search result in generic keyword searches in Google.

When clicking on these links, users will be brought to fake hacking tools similar to the Instagram site we demonstrated above.

For example, the first search result for the 'hack TikTok account' Google search is for a site hosting a fake TikTok hacking tool, as shown below.

All of the tested sites perform the same behavior; pretend to hack the platform and then state that they failed and that you need to download a program to continue.

Clicking on these links leads to fake scams asking for personal information, credit card information, or prompting you to download an assortment of malware and adware bundles.

Cyble had told BleepingComputer that one of the distributed malware files installed Emotet, but we were not offered this infection in our tests.

This attack is similar to our report last month on how government sites were being abused to redirect users to adult sites.

At that time, we were concerned that attackers would abuse the low security of government and college websites to distribute malware. Unfortunately, that is exactly what is happening in this campaign.

It goes with saying that hacking into another person's account is illegal. This campaign also illustrates that attempting to do so could lead to malware infections that install ransomware, steal your password, or even your files.