An Important Update

Dear Followers Of This Blog ...

If you did not use a Blogger / Google account when you Followed this blog, years ago, you are probably not Following now . During the past...

Monday, February 04, 2013

Check Your Template, And Look For Unfamiliar JavaScript Code, Following Odd Blog Behaviour

Recently, we've been seeing some odd problem reports in Blogger Help Forum: Something Is Broken, suggesting deviously hijacked blogs.
My blog is requesting me to login, using a user name and password, when I view it.
Given the URL of the window requesting the login, it's a simple matter for us to use the right forensic Internet software, and to locate a relevant snippet of code, frequently installed as part of the blog template.

Sometimes, when we reply to the blog owner with advice to remove a bit of dodgy code, we get a response suggesting disbelief. Our advice
Use the Template Editor, and remove the highlighted code snippet.
may receive a confused or skeptical response.
Where did that bit of code come from? I never installed that!
How did the code in question get installed? Discussion of one possible scenario may require thinking outside the box. Not every unrecognised blog change is being caused by memory loss by the blog owner, after an intentional accessory install or template tweak.

Looking at the subject / theme of some blogs involved in recent problem reports, we're seeing a beginning of a trend, which may indicate a new - and very subtle - blog hijacking technique. We know that Blogger blogs are subjected to brute force password guessing attacks, and we know that Blogger / Google has to consider the possibility that a brute force attack detection is made after the attack was successful.

Current blog security, and defense against blog hijacks, involves detection of hijack attempts, by Google Security. It's possible that some blogs, with some owning Blogger accounts and passwords, are more vulnerable to sophisticated password guess hacking.

When you login to Blogger or Google, you hopefully know the right account name and password, and are generally able to get logged in - after maybe one or two mistakes. You learn, soon enough, that if you have to guess your account name or current password - and you require more than a couple tries - you may have to solve yet another CAPTCHA, or request account unlock, to continue.

The ever unpopular CAPTCHA / locked account comes from Google, detecting a possible brute force attack in progress, and protecting your account and your blogs. A Blogger blog, with its content providing enough clues, combined with a simple account password that is easily guessed, may allow an experienced hacker to login to your account in one or two tries, without being detected by Google attack monitors.

It's alternately possible that some attacks are being conducted by very patient hackers, who are able to use days, and / or thousands of different computers, to conduct a throttled brute force password attack. Again, just attack without providing a detectable pattern.

This may help to explain the mysterious spam blog setups, of last year.

A hacker, able to login to a Blogger account without being detected, could install small changes in a blog template without ever being discovered. The blog owner would never discover subtle template changes, made by an easily satisfied hacker.

Finally, install latent code that does not activate immediately, as we observed during Winter 2009 / 2010, so no blogs show symptoms until the hack is installed on thousands of blogs. If one or two blog owners discover the odd code in their blogs, who would ever suspect their blog being part of a massive cloud of victims?

If you report odd behaviour by your blog, you write to Blogger Help requesting advice, and you are advised to remove a bit of dodgy code from the template - and you do not remember having installed the noted dodgy code - you may want to review your Blogger / Google password, and make the password harder to guess. Better still, start using 2-step verification for logging in to your Blogger / Google account.

>> Top

Dude, hit me with a comment!