I was just looking up some information on CSIS and was shocked to see that, according to Google, its website may be compromised. After all, CSIS is responsible for assessing cyber security threats to Canada. How could it be possible that (part of) their website (second of three shown below) could be hacked by a bunch of rogue Viagra vendors?
Since the domain name http://www.csiscareers.ca doesn’t match the main one — http://www.csis-scrs.gc.ca — I performed a who is search on the hacked site to verify whether or not it might belong to domain squatters. But according to DomainTools, it is indeed owned by someone with a government of Canada e-mail address.
I called the listed phone number to confirm whether it was CSIS and reached the person listed by DomainTools as the administrative contact. She declined to speak to me, which is standard practice, or to even confirm whether or not I had reached CSIS, which is not standard practice at other government agencies. She also took my name to pass it on to someone in the press office who would be able to speak to me.
I clicked through to the third site shown in the image above — a non-hacked www.csiscareers.ca subdomain — to try and see if it was official and it does indeed appear to be. Here’s a screenshot complete with CSIS logo.
Then in an act of daring that put my computer at risk, I clicked on the hacked site (proceed at your own risk) and it appeared perfectly normal despite Google’s warning which states:
We show this warning message for search results that we believe may have been hacked or otherwise compromised. If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission. Hackers may change the content of a page, add new links on a page, or add new pages to the site.
At this point, without hearing from CSIS, it’s still not clear whether this was an actual CSIS site that was hacked or an imposter site, but it sure looks like the former, which is not good. Even if there’s no secure information on the site, it’s certainly bad optics.
Update: I have done some more research and come up with lots of weird results for http://www.csiscareers.ca in both English and French (see the screengrabs below), but in all cases when I clicked through, the web pages themselves appeared normal.
Update II: www.csiscareers.ca appears to have been hit by the “pharmacy hack” or “pharma malware,” which, according to the blog Red Leg, is “the most common spam hack.” In a detailed web post on the issue and how to fix it, the blogger writes:
The pharmacy hack remains one of the most common posts we see on the Google Webmaster Tools Forum. The posts’ start out with one of the following questions … “Why is Google reporting my most common keyword is viagra or cialis, I can not find those terms anywhere on my site?”