Netgear's WiFiFamily blog

An anonymous vigilante has taken matters into his own hands and removed malware from a Netgear site after the company failed to clean up a two-year-old malware infection.

The vigilante acted upon the discovery of a malware infection on WiFiFamily, a Netgear website that shared articles on the usage of various company technologies.

Derek, the security researcher behind the MyOnlineSecurity portal, tipped Bleeping Computer about the hacked site. He also documented the Netgear site's compromise on his blog.

Netgear site hosting tech support scams

The researcher said he found the site after going through recent spam emails. The emails contained links to the WiFiFamily site. Accessing these links, Derek found fully functional tech support sites that were hosted on Netgear's WiFiFamily portal.

The HTML files containing the tech support pages were hosted in the site's "/wp-content/uploads/" folder (WiFiFamily site is running on the WordPress CMS).

The site was obviously compromised because Derek also discovered the folder allowed public access to the files it stored. In default WordPress configurations, access to this folder is restricted.

"There are spam posts on the site, allegedly posted by Netgear Admin and various other names," Derek says. "There are also open directories under http://www.wififamilyblog.com/wp-content/uploads/ which clearly show multiple compromises, redirects to sex sites, scam sites and god knows what else."

Some of the malicious files stored on the Netgear site before a vigilante deleted them
Some of the malicious files stored on the Netgear site before a vigilante deleted them [Source: MyOnlineSecurity]

The timestamps of some of the malicious files stored in that folder went back to February 2015, a month after the domain was registered, meaning the site was most likely compromised as soon as it was published online.

Vigilante finds PHP shell and uses it to remove malware

Derek reached out to the parties involved in the site's management, and one user appears to have noticed some of the tweets the researcher sent out. The fact that Netgear wasn't able to detect and clean the site in this timespan appears to have angered at least one user. Just after Derek published his finding, an anonymous user with the nickname "Vigilante" replied.

"Found a shell here hxxp://www.wififamilyblog.com/wp-content/uploads/modx.php," the vigilante said. "Password was root. Deleted uploads folder."

The user's action removed the malware from the Netgear site, but this also made the anonymous user a criminal.

"That is not an action I can approve of," Derek said. "Legally you are in a worse position than the criminals who hacked the website. You deleted or damaged something. They didn’t cause any damage to the site."

Legally speaking, Derek is right. Users should never take such steps against websites they don't own. First, because it's 100% illegal. Second, because they're also most likely destroying evidence and a forensic trail. The best course of action is to inform the website owner and law enforcement.

UPDATE: A Netgear spokesperson provided the following statement on the incident:

The web page wififamilyblog.com was a legacy third-party promotional site sponsored by NETGEAR for the marketing of certain mobile WiFi HotSpots. The site was not owned or maintained by NETGEAR.

NETGEAR has since requested that the agency responsible for the blog site pull it down as we continue to look into the matter.

Related Articles:

Massive Malvertising Campaign Discovered Attempting 40,000 Infections per Week

5 Examples of How Cheating in Fortnite Gets You Infected

Tech Support Scams Using Call Optimization Services to Insert Phone Numbers

Android Apps Infected With Windows Keylogger Removed From Google Play Store

SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments