Microsoft has confirmed that two network devices on its network have indeed been compromised and were being used by criminals to route traffic to more than a thousand websites used to push fake pills.
After an internal investigation, they found that the devices – located in a testing lab – were misconfigured and have been compromised due to human error. “Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected,” they said in a statement.
The fact was discovered two days ago by Ronald Guilmette, a network security researcher, and revealed to The Register. They mounted an analysis of their own which confirmed that two IP addresses – 18.104.22.168 and 22.214.171.124 – were indeed being used by spammers.
Guilmette says that the servers have been hosted on these addresses as far back as September 22 – a claim that seems to be backed by Brian Krebs.
He says that on September 23, this organized cyber crime gang launched a massive DoS attack against his site, and that the attack has been tracked to a variety of Internet addresses, of which at least one seemed to be located on Microsoft’s network. It also seems that Microsoft was notified at the time, but why the failed to mount an inquiry then and there, it is anybody’s guess.
“In just one of the many ironies in this story, the compromised server inside of Microsoft appears to have been running Linux, not one of Microsoft’s server technologies,” adds Krebs. “According to Guilmette, all of the hacked servers used by this pill gang are Unix or Linux servers.”