Black-hat actors have targeted several pages within Stanford’s web ecosystem, redirecting community websites towards alternatives ones selling weight loss supplements until last month. According to University researchers, hackers exploited vulnerabilities to game search engine rankings in a tactic known as black hat Search Engine Optimization (SEO). After The Daily notified University Information Technology (UIT), the compromised pages have since been taken down.
The hacked pages appeared as high-ranking search results on Google, with a Gemini summary for rapid weight loss techniques listing them as official Stanford’s websites. Redirects led users to the website for Best Product Review, a scam website masquerading as Fox News. The site advertised weight loss pills from brands LuxOvia and PureVantage, which claimed to have appeared on shows like Shark Tank and publications such as The New York Times. The Daily did not find any evidence supporting these claims.
Targeted subdomains included those belonging to MARIA, a machine learning tool; General Game Playing, a course in the computer science department and the Stanford Department of Public Safety.
The attackers could have employed methods including exploiting compromised code libraries or those with backdoors built into them, according to assistant professor in computer science Emma Dauterman.
Another possibility is that the server was misconfigured — a vulnerability that happens when a web server has the wrong settings, according to Kimberly Ruth, a sixth-year Ph.D. student in computer science focusing on computer security. Visiting researcher Nurullah Demir also suggested that the web application — the software running the webpage — may have been hijacked.
The attackers’ likely motivation? Making their page more visible on search engine results, said Dauterman. “The attackers want to use the fact that this is coming from some very trusted domain like stanford.edu… and leverage that in order to boost their scammy content,” she said.
Academic domains like Stanford’s are a particularly popular target because of their reputations for reliability, according to Dauterman.
Dauterman said such websites are also attractive for their decentralized quality. “Stanford, as an open research and academic environment, allows members of the University community to host content accessible by web search engines,” said University spokesperson Luisa Rapport.
Malicious redirects are often used for financial scams, said Ruth, but they also create reputational damage for the University. “If [Stanford is] associated with scammy websites, [and] people are seeing some of these sites, then that doesn’t reflect well on the university,” Ruth said.
But vulnerabilities in subdomains are difficult to prevent. Implementing greater security measures would hinder the ease with which research and student groups can host their own sites, said Ruth. “As a research lab, if I want to go spin up a domain, I don’t necessarily want to have a ton of hoops that I need to jump through,” she said. This is another reason why college subdomains are such a common target.
Rapport wrote about the University’s collaborative efforts to strike such a balance. “UIT regularly works with individuals and research groups to limit the hosting of insecure content that might be exploited by unauthorized parties,” she wrote.
One way is to consistently maintain webpages. “Good practice is to try to keep all systems up to date,” said Ruth. Students and groups should also be thoughtful in the way they write their code, “trying to ensure that people aren’t linking into too many third-party libraries that they don’t necessarily have a lot of visibility into.”
Stanford should also be proactive about tracking where it appears on search engines. “It’s always good to keep track on [and] monitor new units in [the] search index,” Demir said.