@bridgers' finds

Just found my old Neopets account page. The password is long forgotten and is tied to a hotmail account deleted by MSN ages ago. (Thanks for nothing, MSN!!!!)

The description for one of my pets, Angle_99 (an unfortunate misspelling of “Angel”), contains a Zoolander reference. My shop, “Hogsmeade,” used to automatically play a .wav file of “Survivor” by Destiny’s Child on repeat. You could not turn it off.

(Caution: moderate l33t-speak ahead. Proceed at your own risk).

Earlier this afternoon, I noticed a javascript error message on our site: 

“WARNING: malicious javascript detected on this domain.”

This was alarming, to say the least. We hadn’t made any major updates to any of our asset files in the last few days. Had we been hacked?

I Googled the full warning message to look for answers on forums. Nothing. When I did a similar search in Baidu, however, I noticed something interesting: hundreds of forums had been updated in the last hour with developers seeing the same warning message across the Chinese interwebs.

The one thing our site had in common with all the other sites getting “malicious javascript” warnings? Baidu Analytics code. And like our site, it only happened while the pages were being accessed from outside China (or, in my case, with a VPN on). So I deactivated the code. The warning message immediately disappeared.

The whole thing gave rise to an entirely new set of questions. It was quite suspicious that a tracking code generated by a web company of that size and scale could be compromised. Were they being attacked?

I dug deeper and found a possible answer. And it was much crazier than I had guessed: Baidu’s CDN was being hijacked... to DDoS Github. And not only was I watching it happen in real time -- each time I hit the "OK" button in the warning dialogue, I was also (unknowingly) participating in it!

The console logs and screenshots show that Baidu’s scripts were sending traffic to Github. (A good technical analysis on how exactly it happened is available here).

Why is this so interesting? To quote Larry Salibra:

1. It leverages unsuspecting website visitors with uncompromised machines to create a DDOS attack 2. It makes a China based attack appear to come from outside of China by only inserting the compromising javascript code in Baidu CDN requests made outside of China
3. It attacks one of the most popular developer site that the Great Firewall has tried unsuccessfully to block in the past because of Chinese developer backlash 3. It appears to be an attempt to pressure Github, a non-news organization, to censor content that China objects to. 4. This outbound attack appears to be originating from the government controlled Great Firewall.

Emphasis mine. Note that the javascript code instructed visitors' browsers to request the Github pages of Greatfire.org and the Chinese language edition of the New York Times. 

This also brings to mind another instance of China redirecting traffic to an overseas server, as detailed by Craig Hockenberry here. To quote: “They [China] have weaponized their entire population.”

There haven’t been any official statements regarding origins of the attack, but conclusions have already been made. 

In the meantime, Github has been able to mitigate the attack, for now. (You go, Github! The Internet is better because of you.)

UPDATE (11:47 am, March 28): Official statement from Github here. “The attack... involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.”