Digital Constitution – a dedicated website Microsoft set up to keep users informed of its efforts to counter US government’s attempts to access customer emails the company stores in its data center located in Dublin, Ireland – has been compromised.
Unexpectedly, the attackers are not disgruntled privacy-minded hacktivists with a bone to pick with the company, but apparently scammers trying to push “amazing” offers from online casinos.
The site’s code was apparently modified to include gambling-themed keywords so that it pops up in online gambling-related searches, and new pages like this one (which is still available as I write this) have been created on the site:
ZDNet’s Zack Whittaker posits that the compromise was executed by leveraging vulnerabilities in the WordPress CMS used to run the site. The site is running on WordPress 4.0.5, while the latest version is 4.2.2.
Microsoft didn’t comment on the happening, but removed the keywords from the site’s code in less than an hour. But they obviously missed the aforementioned injected pages.