Hackers Exploit 14-Year-Old CMS Editor on Government and Education Websites for SEO Poisoning

Cyber Attack

Hackers are exploiting a 14-year-old CMS editor, FCKeditor, which has been discontinued since 2010, to compromise government and education websites globally. They're leveraging open redirects, allowing arbitrary redirections to external URLs without validation, to execute phishing attacks, distribute malware, and scam users under the guise of legitimate domains.

The attackers target outdated FCKeditor plugins, particularly on educational institutions like MIT, and Columbia University, and government entities such as Virginia and Austin, Texas government sites. Spain's government site and Yellow Pages Canada are also among the victims.

These compromised FCKeditor instances blend static HTML pages with malicious redirects. For instance, a link on Google might lead to a legitimate university domain presenting a fake news article about tinnitus remedies, promoting other content pages within the compromised instance. Eventually, the threat actors swap these pages for redirects to malicious sites, exploiting the trustworthiness of the domain to rank higher in search engines.

While FCKeditor's maker deprecated the software in 2010, the persistence of its usage in institutions, even 13 years later, exposes vulnerabilities. This exploitation echoes previous campaigns where government sites were manipulated to redirect users to fake OnlyFans and adult sites.

The situation underscores the need for institutions to update and secure their software infrastructure regularly. Given that companies like Google and Microsoft do not always classify open redirects as flaws, the responsibility lies with organizations to address such vulnerabilities proactively. Failure to do so not only compromises their own security but also facilitates broader cyber threats.