CSIS websites hacked with pharma malware

Rogue Viagra vendors  have successfully hacked CSIS, the government agency charged with analyzing and investigating threats to Canada’s cyber security .

Google search results show that CSIS sites are infected with so-called pharma malware. since 2011. The search engine warning “this site may be compromised” appears on dozens of pages in in both English and French for www.csiscareers.ca and www. carriereauscrs.ca.

The second item (see screenshot below) returned in a Google search for “CSIS careers” showed up Tuesday as “April 15, 2013 – viagra no prescription cheap. Canadian Security Intelligence Service.”

Screen shot 2013-04-23 at 1.03.45 PM
Copyright Ann Brocklehurst

According to on-line resources, the pharmacy hack is one of the most common spam attacks and a frequent subject of discussion on Google Webmaster tools. The spammy links for Viagra, Cialis, Xanax and other drugs are “cloaked” or hidden from site visitors so the web pages in question appear normal, but the hacked content is visible to Google and other search engine robots.

They content is unlikely to harm visitors’ computers, but will often bounce them over to the hackers’ website.

Screen shot 2013-04-23 at 1.29.51 PM

The Google warning notes, “We show this warning message for search results that we believe may have been hacked or otherwise compromised. If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission. Hackers may change the content of a page, add new links on a page, or add new pages to the site.”

CSIS did not respond Tuesday when asked for comment, but there have been multiple visits to my website from government of Canada IP addresses since I first posted on this problem yesterday and it appears, from changing Google search results, that steps are being taken to clean the malware off the CSIS sites.

The domains http://www.csiscareers.ca and www. carriereauscrs.ca are separate from the main CSIS website, www.csis-scrs.gc.ca, which shows no signs of being hacked. However a search of the online directory DomainTools shows they are registered to the Canadian Security Intelligence Service and lists an administrative contact with a Canadian government e-mail address.

The same contact is given for eight other CSIS-related domains including http://www.csiscareers.net and http://www.csiscareers.com, none of which appear to be live websites.

On its website, CSIS notes that it will “analyze and investigate domestic and international threats to the security of Canada, responding to the evolution in cybersecurity technologies and practices.”

More screenshots that illustrate the hacking are shown below.

Screen shot 2013-04-23 at 4.40.19 PM
Copyright Ann Brocklehurst
Screen shot 2013-04-23 at 4.46.04 PM
Copyright Ann Brocklehurst


One thought on “CSIS websites hacked with pharma malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s