NHS flushes out infectious site redirects after malware slip

NHS visitors in search of health information were met with viruses or adverts instead.
Written by Liam Tung, Contributing Writer

The NHS is still cleaning up a coding error on its website that hackers used to send visitors to malware sites.

The UK's National Health Service is applying some overdue hygiene to some of its online properties after a visitor to its NHS Choices site on Sunday stumbled across 836 pages that redirected browsers to third-party malware hosting sites.

First reported on Reddit by user Muzzers, the source of the redirects were malicious script tags containing a URL that pointed to a bogus version of the Google-owned URL for developers, "googleapis.com". Instead, the URL in the tags was for "googleaspis.com".

"So while attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware infested page," Muzzers wrote.

The discovery caused alarm since hackers often enough compromise popular websites in an effort to redirect visitors to malicious URLs with the goal of installing malware on a victim's PC. The technique is used in so-called 'drive-by-downloads', which aim for mass infections, or 'watering hole attacks' in more targeted attacks.

As Symantec notes, attackers typically insert snippets of JavaScript or HTML to redirect visitors to an exploit page. Attacks on developers at Apple and Facebook last year did exactly this via a hacked iOS developer forum.

But, according to the NHS, the attackers in this case didn't even need to hack the site to gain redirects for its 800-odd pages.

"We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked," the NHS told ZDNet in a statement.

"An internal coding error has caused an incorrect re-direct on some pages on NHS Choices since Sunday evening. Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code."

The NHS spokesperson added that the coding error — the mistyped URL — had been lying on the site since sometime last year, but didn't cause problems until Sunday. 

"On Sunday evening someone in the Czech Republic took ownership of the incorrectly spelt domain it was referring to; the correctly spelt one is actually owned by Google. Although the typo existed in NHS Choices code, until the point the domain name was purchased, this was not causing any issues."

According to Whois records, someone that lists their address as being in the Czech Republic registered the domain on 2 February through to 2 February 2015.

"We plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no re-occurrence," the NHS spokesperson said.

More on the NHS

Editorial standards