Public sector web sites at risk from illicit links

Hundreds of ac.uk and gov.uk web sites have had links posted on them to pornography and illegal drug sites

Web sites across the public sector have been hit

Hundreds of public sector web sites have been hacked into to include links and references to illegal web sites selling pornography and drugs online.

The links can appear in Google searches before web users have even arrived at a web site – potentially putting them off visiting.

Hackers exploit weaknesses in sites' security and use them to post links to their own web sites, according to Ritchie Fiddes, of vendor Backup Technology, which uncovered the problem.

"These are unethical link-building campaigns," he said. "A link from a web site with a gov.uk URL is valuable and will push a site higher up the google rankings," he said.

Academic institutions with ac.uk URLs have also been affected.

Links will often be injected using techniques such as cross-site scripting and may not be immediately obvious to those visiting a web site, though an unintended click in a seemingly blank area of the screen could lead to one of the sites. The links can also be posted using SQL injections.

Institutions that are not keeping patches updated or that are using older versions of Wordpress or Windows web servers are particularly vulnerable, according to Fiddes.

And many more examples could be out there, he added.

"What we've found is just the tip of the iceberg," said Fiddes.