Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Stanford University Site Hosted Phishing Pages for Months

Hackers compromised the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University to deploy phishing sites, hacking tools, and defacement pages since January, Netcraft has discovered.

Hackers compromised the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University to deploy phishing sites, hacking tools, and defacement pages since January, Netcraft has discovered.

The website was compromised on Jan. 31, and multiple hackers exploited security gaps to deploy their malicious pages over the next several months. During the initial compromise, the hacker placed a rudimentary PHP web shell named wp_conffig.php into the top-level directory of the website, and the naming scheme allowed the shell to remain accessible for four months.

The anonymously accessible web shell on the server allowed for further compromise although the Stanford site was updated to the latest release of WordPress (4.7.5) on 20 April 2017. Thus, a second web shell was deployed on the server by May 14, Netcraft reports. However, the server didn’t run the latest version of PHP.

The second shell was based on the WSO (Web Shell by Orb) script, “which displays directory listings and offers several other hacking tools that can be used to crack passwords and gain access to databases,” Netcraft explains. In an attempt to make the shell difficult to spot, the actor named it config.php.

Six minutes later, an HTML file named Alarg53.html that only displayed the message “Hacked by Alarg53” was also uploaded on the server. Similar defacement pages can be found on dozens of other websites, and the security researchers suggest that “the hacker is well versed at using web shells to compromise websites.”

Within hours, a hacker (possibly the same) uploaded two more PHP scripts to the server: w3mailer.php – which allows attackers to send large amounts of spam or phishing emails, and promailer.php – which provides similar functionality but lacks malicious JavaScript code that the former script includes. The obfuscated code downloads an externally-hosted JavaScript file and is executed every time the hacker accesses the page.

On May 15, another hacker took advantage of the compromise to deploy a Chinese HiNet phishing site on the server, to steal webmail credentials from customers of the Chunghwa Telecom internet service. On May 21, a hacker uploaded a defacement page called TFS.html, and another HiNet phishing site was deployed later the same day.

Advertisement. Scroll to continue reading.

On May 23, two archives were uploaded to the server and were extracted to multiple locations to create several phishing sites targeting users of Office365 and LinkedIn. The next day an archive containing a generic phishing kit to steal a victim’s email address and password was uploaded to the server.

Dubbed, a phishing kit uploaded on May 27 was targeting SunTrust Bank users with a fraudulent login form. Each of the kits used a different set of email addresses to collect the stolen credentials, and the security researchers suggest different actors were behind each of them.

Two of the phishing kits were removed from the server on May 29, along with the directories they were unzipped into, and Netcraft believed a rival hacker did this, considering that no other phishing kit or hacking tool was removed. A second SunTrust phishing kit was uploaded the same day.

“A single Stanford University website has ended up hosting several hacking tools that have likely been used by multiple hackers to deploy a similar number of phishing sites onto the server. Failing to notice and remove the hacking tools could well have compounded the problem by facilitating the more recent compromises,” Netcraft concludes.

Related: Russian Black Hat Hacks 60 Universities, Government Agencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.