The UK’s NHS web site (http://www.nhs.uk/), or to be precise, links embedded in it, have been infecting visitors with malware. At the end of the day, it was probably a straightforward typo in the coding of the web page. What lessons can we learn here? How could we have stopped that? Sadly, there’s not much to learn, except that it’s very dangerous out there on the Internet. Here’s why.
There are really very few lessons for the NHS, unfortunately. Triple check all links? I suppose. Monitor your egress on your network and alert if people start going to strange domains? Maybe. If anything this just wakes us up to the dangers of Typo Squatting. Many firms own many variations on their name. We own citigal.com, Google owns gooogle.com (3 Os instead of 2). But it’s impractical to own all variations. And frankly, the NHS was ultimately beholden to how well Google defended its name. And Google cannot be expected to buy every possible spelling mistake near its names. If this was an innocent typo, I struggle to find a lesson for the web developers. Sometimes the result is simply “oops.”
So how did the attack proceed?
The attacker owned the domain googleaspis.com. If you believe the whois information, that domain was registered yesterday at a registrar in the Czech republic. It’s possible he happened to notice the misspelling on the NHS web site and decided to take advantage of it. I wonder if it’s possible to set up a Google search monitoring for sites that include misspellings, and then have Google alert you when there’s a vulnerable web site.
A few important things to realize about this investigation: I am not a forensic investigator. I did very little to disguise myself, I did not pretend to use a vulnerable machine or browser, and I did my investigating many hours after the attack had been discovered. Malware can be clever. The web sites can figure out that I’m using research tools and not browsers. They can figure out where my IP address came from and determine whether or not (based on my current country) they want to send me any malware at all. They can send me to other sites because I’m probably not their target. Thus, the path that MY browser took while researching for this article might be totally different than the path and consequences that someone else’s browser would take. For example, some of the servers are in the Czech republic. They could, for example, serve something harmless to other Czech computers and serve the malware to all others. There was a case not long ago of a Russian malware site that did that. If the malware distributor was clever, his web site sent me something totally different from what he’d send a vulnerable PC user. There’s no way for me to know. I don’t have the tools to figure that out.
Typo squatting is a major issue. Unfortunately, there is very little we can do to combat it. End users can use a service like OpenDNS. They try to identify typo squatting URLs and redirect your browser to a safe web page if you go to one. Software authors can do very little. They can only be diligent about what sites they link to and do their utmost to be sure that they link to known sites correctly.