Content Delivery Network (CDN) providers are now targets of cyber miscreants to inject malicious payloads in the victim’s PC.
Before we go further let us first acquaint ourselves with the term Content Delivery Network (CDN).
When a user requests to view news, or to visit a shopping site or watch YouTube videos, he may expect latency to load the web page. The delay is caused by a number of factors, the important among them being the physical distance between the user and the website’s hosting server.
This is where CDN’s role comes into picture. Its mission is to shorten this physical distance to improve site rendering performance and speed. CDN stores a cached version of the content in multiple geographical locations.
CDN is a network of distributed servers that is in charge of content delivery. Web pages or other web contents are delivered to the users on the basis of their geographic locations.
For instance, when a request is made by a user to view a web page, a server node closest in user proximity delivers cached website content quickly and reliably , thereby reducing latency.
Web Security firm Sucuri (now part GoDaddy) recently discovered that, images hosted on googleusercontent.com- Google’s official CDN are injected with a malicious code inside the metadata fields.
The photos uploaded on Google+ social network and Blogger.com sites are the images usually hosted on this domain.
The culprit behind the act is still not known. It’s difficult to identify where the images originate from as the URLs of the images have the same format and are anonymized.
Modus Operandi was carried out that focused on the steal of PayPal security tokens. PayPal is an online money transaction website user to transfer money in a quick and easy way.
Cyber miscreants accomplished this by injecting a malicious code in the EXIF (Exchangeable image file format) “UserComment” metadata field of an image and loading the same on googleusercontent.com.
Exif, is a standard that specifies the formats for images and sounds used by scanners and other systems handling image and sound files.
To complement Image Description, User Comment EXIF tag are used that contains Keywords or comments on the image.
The code contained in that field was a Base64-encoded string. When decoded it ended up being a malicious script that could upload a webs hell (A script uploaded to a web server to enable remote administration of the machine) along with various other files on the compromised server. The script could be used to vandalize the server.
As GoogleUserContent CDN was used to host the images with a pernicious script, researchers are finding it a major challenge to get the image removed.
According to Google’s security policies, contents that are found malicious can be reported and easily removed but there is no way to report the images with malicious script. There is a form set up to report copyright infringement, but not security issues related to malevolent images.
Furthermore security scans of the images are usually ignored by most web based security cameras which is a major problem allowing cyber miscreants to take advantage of that. The tools scan for malware in text based files such as PHP, HTML etc but not metadata of images loaded on websites.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.