Microsoft privacy and surveillance site compromised to promote online casinos

Graham Cluley

MicrosoftWell, this is embarrassing…

As ZD Net reports, the website set up by Microsoft to fight the United States government on issues of over-reaching surveillance has been hacked.

Last December, I suggested you visit Microsoft’s Digital Constitution website to find out more about the company’s attempts to prevent US law enforcement from accessing customer emails held at a data centre in Dublin, Ireland.

What Microsoft was doing, in my opinion, was a “very good thing”™, protecting the privacy of users from over-reaching governments.

But what wasn’t so good was what has been going on lately on the digitalconstitution.com website itself.

ZD Net‘s Zack Whittaker reports that hackers had managed to inject spammy links to online casinos into the site’s pages.

The fault, it appears, lay in the out-of-date version of WordPress being used – version 4.0.5. Chances are that the spammers weren’t even aware of the trophy site they had compromised, and that it was just one of many sites they would have sullied with their revenue-generating links.

Compromised website. Source: Zack Whittaker / ZD Net
Compromised website. Source: Zack Whittaker / ZD Net

If that’s the case then there hopefully should be no threat of any sensitive data being stolen from the web servers, but clearly Microsoft dodged a bullet as it would have been just as easy for the attackers to embed malicious links or exploit code designed to infect visiting computers.

Whittaker reports that some of the main pages were fixed within an hour or so of being initially reported, but as recently as yesterday there were still pages containing the seedy casino adverts.

Compromised site

The website has since been updated to WordPress 4.2.2, the latest version. Lets hope that whoever is responsible for its maintenance now understands the importance of keeping it properly updated.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES