Typhoid Mary (aka Mary Mallon) was was the first identified healthy carrier of typhoid in the US. While she did not die from typhoid, she passed the disease to others who then became infected and died. Throughout most of her life, she denied her role in the deaths of those infected by her. Today the term ‘Typhoid Mary’ has come to mean a carrier of a dangerous disease who is a danger to the public because they refuse to take appropriate precautions.

Kanga.nu is a typhoid mary. This Plone site has a major security vulnerability which allows malicious users to create URL’s on the site that then forward visitors to a new page. Here is how it works:

1. Create some kind of site that make you money somehow (sell pharmacy, stock tips, porn, whatever)
2. Hack Kanga.nu using one of the plone vulnerabilities and create a new url that forwards any visitor :
   • directly to your website, or
   • to a google search url which happens to have the first link in the search result be your webpage
3. Spam as many websites as you can with a link to the hacked plone site (which then links to your actual product)
4. Profit!

As an example, if I were the hacker, I would create a new page/url (whatever the method is for hacking the site) at kanga.nu/members/MySpammyProduct. This URL would then forward to my money making website that sells Pet Insurance Stock Tips (or whatever). Some sites appear to link directly to the product page, while others link to a google search page instead.

Linking to the google search page allows the spammer to create that one-step removed feeling. After all, Google punishes domains that receive too many links for ‘bad neighbourhoods’ of which Kanga.nu is obviously one. In order to avoid this punishment the spammers link to the google search page which prominently features the spammers domain. They hope the users will click through the google search page and then buy their product.

After this network is complete, the hackers than start to spam blogs and forums like crazy trying to get links to the hacked Plone set up. If you go to kanga.nu/Members you can search by member names. Simply putting the letter ‘e’ in the search box results in over 80 different members. Who knows how many there really are. Here is the alexa data for kanga, can you guess when the site was hacked?

Here is an URL from a piece of spam posted at MaxPower:

kanga.nu/Members/dipex/freecreditreport-free-credit-report-free-credit-report-online#documentContent

If you visit that url you will be redirected to the search page for the phrase freecreditreport. The image below is the first result for the search phrase employed here.

In all likelihood, one of the first few search results or the first adsense add near the top is the culprit of the spam and hacking. Looking through the top ten search results an interesting coincidence emerges. Four of the top ten search results for the phrase freecreditreport deal with consumers being ripped off (SERP results 4,5,8,9 at the time of this writing). Two sites are implicated, Consumerinfo com and freecreditreport com (both run by the same company): “The FTC charged the companies with “deceptive and misleading” claims”[source].

Could the same people who run rip off scams also be behind spamming and hacking websites?

From August of 2005:

Consumerinfo com, Inc., doing business as Experian Consumer Direct, has settled Federal Trade Commission charges that it deceptively marketed “free credit reports” by not adequately disclosing that consumers automatically would be signed up for a credit report monitoring service and charged $79.95 if they didn’t cancel within 30 days, in violation of federal law. [source]

It is important to note that by reaching a settlement with the FTC, Consumerinfo and FreeCreditReport officially are not guilty of a law violation. Still, according to the FTC the two sites had to give up, “$950,000 in ill-gotten gains.”

At this time there is nothing linking the websites listed at the top of the search engine results page for the word ‘freecreditreport’ to the spamming and hacking actions related to kanga.nu. One can only speculate. But at least there is a complete picture of how one hacked plone website, kanga.nu, could be helping rip off people on the Internet. I just hope Google and Yahoo can punish all those that are attempting to game search engine results using hacked sites like these.

Anyway, I attempted to contact the owner of this site, a ‘JC Lawrence.’ It looks like JC was a pretty active member of a few forums and the open source / programming scene. However, the last webpage he left the kanga.nu signature on is dated January 2006. Maybe the guy passed away, went to jail, or something. Regardless, his site is no longer in his control / care.

Epilogue:
I did manage to contact the host of the site. They admitted that the site was known to be a problem in the past, but thought that the problem had cleared itself up. After our emails were exchanged, Kanga.nu went down. If it does come back, I hope that the site has been patched.

Anecdotal info: I went to Plone’s home page and logged into their IRC chat help. I asked about hacked sites in general and about this plone site. One guy on the channel took a look at the site and declared it a fairly normal situation. I’m not sure what that says about Plone as a CMS.