This ancient CMS is being exploited by hackers — with governments and schools facing attack

A CMS that died 14 years ago is still being used

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are taking advantage of dozens of educational websites to poison search engine results, deliver phishing sites to victims, and engage in all kinds of fraudulent activity.

The websites being abused in this campaign include MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of Hawaiʻi.

Besides government sites, the campaign also targeted government and corporate websites, such as the site of the Government of Virginia, Austin, Texas, the website of the Government of Spain, and Yellow Pages Canada.

There are no free V-Bucks

There are no free V-Bucks

The scheme was revealed by cybersecurity researcher @g0njxa, who posted on X a report outlining how they found websites using FCKeditor, a web text editor that allowed users to edit HTML content inside a web page.

Apparently, it was a popular solution a decade and half ago, but it rebranded to CKEditor in 2009. Responding to the findings, the CKEditor X profile said FCKeditor died in 2010 and should not be in use at all due to various security issues.

One of the security issues being exploited here is called open redirect, a feature that allows arbitrary redirection requests that send a visitor to an external URL without validating or running appropriate security checks. With open redirects, search engines will show the site being redirected to, as being hosted by the victim site.

Showing an example, @g0njxa posted ascreenshotof search engine results for “Free V Bucks” (Fortnitein-game currency), on which websites such as the Barcelona University, or Tulane, were seen “hosting” free V-Bucks generators.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As open redirect URLs don’t host the malicious content, BleepingComputer further explains, they can stay active for much longer and remain visible in search engine results before being flagged and taken down. What’s more,GoogleandMicrosoftdon’t even see open redirect as that big of a deal, and usually don’t react unless the attack escalates.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics