What do the following websites have in common?
- www.alwaysnewyou.com – a health and beauty advice site
- levelvet.com – a Russian shopping site
- www.villahadir.lu – a site describing a restaurant in Luxembourg
These sites and thousands more use a script called “PHPThumb” to manage the images on their webpages. The script allows page designers to fix image sizes, add watermarks and perform other nifty image related actions when pages are generated.
PHPThumbs also includes a vulnerability (already documented over 5 years ago) that allows an attacker to run any code they wish on the target website. Over the last week our labs have seen masses of spam and phishing emails sent from sites that have been hacked using the PHPThumbs exploit. The vulnerability allows a hacker to install email-sending code on the Web Server – usually in the PHPThumbs directory. The inserted code (sendme.php) presents a neat and easy-to-use spam/phishing sending page that looks like this:
The form allows a spammer to control all aspects of the sent message:
- The “sender fields such as “from”, “reply-to”, and sender name
- Target addresses (of multiple recipient at once)
- Attachments, HTML formatted content, etc.
This is an example of a message received from one of the compromised websites:
All Lloyds TSB account holders are to register their account to our new database system for additional security and more effective service.
Follow the log on link below then log in to complete the update process.
Lloyds tsb plc,
All rights reserved.
In our Internet Threats trend report published in July we described the increased use of compromised accounts and spammer accounts to send spam, phishing and malware. The big advantage for spammers is that the messages are sent from reputable IP addresses (in the report we described spam from Gmail and Hotmail). Most spam today is blocked using IP reputation systems that use published blocklists of IP addresses. Using a reputable IP address can therefore help evade anti-spam systems that rely on IP-reputation.
The technique described here is far more effective than a compromised webmail account. The spammer can send an almost unlimited number of emails from the compromised web server. All the emails will come from a single reputable IP address (belonging to the hacked website) reducing the chance that the spam/phishing will be blocked by an IP reputation filter.
For those of you wondering how we spotted this: All the emails sent using this exploit include an X-header that looks something like this: