TOKYO (MacHouse) – It’s been 4 weeks since we first reported the systematic exploitation of websites where a folder titled ‘in’ is installed with spam pages inside. We were never interested in seeking the source of vulnerability common in the victimized websites. What appears to be source of vulnerability, however, is open-source software called TinyMCE.
So what exactly is TinyMCE? According to its website (http://tinymce.moxiecode.com), it’s open-source software creating a Javascript-based WYSIWYG editor. (See Screenshot 01.) Screenshot 02 shows an example of a WYSIWYG editor shown at developer’s website.
 Screenshot 01 – Source: tinymce.moxiecode.com |
 Screenshot 02 – Source: tinymce.moxiecode.com |
 Screenshot 03 – Source: tinymce.moxiecode.com |
This software contains folders in the following order: jscripts > tiny_mce> plugins. (See Screenshot 03.) It appears that the cyber scrum group installs folders inside this ‘plugins.’ (See Screenshot 04.)
Screenshot 04 – Source: MacHouse
References:
7 New Websites Victimized in the ‘in’ Hack Exploitation
University of Arizona College of Education Among More Than 48 Websites Victimized in the ‘in’ Hack Exploitation
University of Oxford, Education Department Website, Among Victims of ‘IN’ Exploitation Leading to Child Porn Website
Multiple Website Hacks Leading to Porn Website with Child Pornography Part 2
Multiple Website Hacks Leading to Porn Website with Child Pornography Part 1
