Skip to main content

Blogger Traffic Source Spam / StumbleUpon Hacked?

{Update: there is a new bit of Linux malware making the rounds that likes to play games with iframes. Comprehensive descriptions of the exploit are listed below - of particular interest is the write up on Crowdstrike. I don't have enough data to know for sure if the two events are related as nothing I administrate has been compromised, but the iframe mechanism is fairly unique in both cases.

https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html
http://linux.slashdot.org/story/12/11/20/1733237/new-linux-rootkit-emerges
Here is my comment on the Slashdot Article:
http://linux.slashdot.org/comments.pl?sid=3263519&cid=42074663}

I usually take a quick look at this site's traffic and referral sources following a post. One of the great things about having a circulation close to zero is that any traffic whatsoever represents geometric growth. Traffic is up 100% from 30 days ago and 1000% from 9 days ago! Don't worry about taking notes now - all of this will be included in the prospectus for the soon-to-be-announced-but-inevitable IPO.

It was during one of these regular reviews that I came across something I wasn't used to: traffic referrals from a large and reputable website, stumbleupon.


Usually top traffic sources in my blogger dashboard are reserved for russian advertising affiliates and my mom. Interested, I clicked on the link and was sent here: 


This is more like what I am accustomed to seeing. But why is stumbleupon.com connecting to blogspot, in particular my blog which is not listed in stumbleupon - in this case ostensibly from an organization called "PaidSocialMediaJobs" by way of twitter. Why did they connect to each of my blogs exactly 14 times? 

Im thinking this is a cheesy way to get some referral traffic. But is that all that is happening? If referral traffic is the point why not just host a server in russia somewhere - why go through an intermediary at all? Without server access I don't have a lot of data to go on.

UPDATE: Another widely viewed site has been compromised. The victim this time is Apartment Ratings, the method a Javascript page that, like before, allows me to control what is loaded in the iframe directly from my browser.


Second Update / Issue Resolved : StumbleUpon appears to have resolved the issue - I can no longer manipulate frames on their domain in the same manner I was able to previously. Kudos to StumbleUpon for a quick fix.