Website “hack” ? - What happened?

What happened?

• A technical vulnerability left the KOTESOL website open to a “link spam injection attack.” This led to inappropriate text and links appearing on some webpages.
   

What is a “link spam injection attack”?

• This is an attack on a website where a bot or paid scammer attempts to inject or push content into a webpage using scripts designed to exploit a technical vulnerability. This type of attack focuses on pushing (or injecting) content into a website, not pulling (personal) data out. At the national level, personal contact information for KOTESOL officials is available ONLY to paid and logged-in current members. Member and user data are available only to four website administrators.
   

Was this a direct, personal attack?

• No, though these attacks may feel personal, especially if a personal bio page was changed. A variety of types of webpages had text injected, though, including the “Bio” pages for KOTESOL officials and presenters. The text was injected by a bot or a paid scammer, not someone specifically targeting individuals. Injected content included some sex-based site links, but more casino and Bitcoin scam site links were injected.
   

Why were personal bio pages targeted?

• They were not targeted specifically. A variety of types of webpages had links injected: Events, Sig, News, and others, including the “Bio” pages. Bio pages are a very large proportion of the KOTESOL website, almost 19% of total KOTESOL website pages. Of the pages found and cleaned by the Technologies Committee, roughly 19% were Bio pages, consistent with ratio of page types on the website.
   

Why does link spam happen?

• Money! This attack is indicative of an unscrupulous search engine optimization (SEO) company. It is done to raise the Google/Bing/Yahoo/other search page placement for the linked-to pages. Links for the paying client's site (porn/gambling/Bitcoin) are injected into random unrelated websites so that Google, etc., will scan them and determine, “This site is popular, here is another link to it,” and give them a higher page rank. The aim is to reach the front page of any search results.
   

Why did this happen to the KOTESOL website?

• A Drupal software vulnerability was not found and patched in time. Just as with any computer system, vulnerabilities are found on a regular basis. If you have a Windows computer, Microsoft wants to update it each second Tuesday (“Patch Tuesday”) of every month; more often than that if it is a critical update.
   

Going forward, what will happen?
What has been done to prevent future attacks?

• The underlying code (PHP Code) for the entire site was removed, regardless of scanned certifications, and replaced with certified good code from the official Drupal download repositories. All module updates have been installed, scanned, and certified so that the code exactly matches the official Drupal repositories. This was also done last year when the website was first attacked. Hackers learn quickly and tend to develop new hacks!
   
• The KOTESOL website will be monitored more closely for any further occurrence of this issue, and manual scanning will continue to search for any affected pages that may have been missed.
   

How often do attacks like this happen?

• Website attacks happen literally thousands of times a day. Every website gets hit, and you've undoubtedly read about something like this before. Probably 90% or more of the daily traffic directed at the KOTESOL website is an attack or vulnerability probe of some kind. This has been the case ever since KOTESOL first got a website, and the attacks increase every year that passes.
   

Is Drupal (KOTESOL’s content management system) really secure?

• Yes. Drupal is one of the most robust and secure content management systems available. It is used by:
  Zoho, IBM, AMD, CVS Health, Tesla, the Grammy Awards, NASA, Nokia, The European Commission, The City of London, UNICEF Innovation Fund, Metro France, General Electric, Wish, Rainforest Alliance, Oxford University, Harvard University, MIT, Stanford University, Duke University, UCLA, University of Arizona, Penn State, just to name a few.
   
• Note that if you search for “link injection” in your favorite search engine, nearly all pages discuss WordPress; Drupal injection appears to be rather rare.
   

What is happening with the KOTESOL website replacement?

• The new website is currently under construction. It will, of course, have the most up-to-date protection available.
   

What should I do if I find a suspicious link or weird text on the KOTESOL website?

• Don’t click it! Please contact our Technologies Committee (admin@koreatesol.org) as soon as possible.
   

KOTESOL's leadership apologizes profusely for the embarrassment and annoyance this has caused.