Hackers have been targeting online forum, not for publishing cool slogans or political messages, but to make money. Stealing traffic from the forums and exploiting this traffic by way of ads, their main targets appear to be VBulletin software.

The methods employed are very discreet. The can hide their code deep within a system and ensure that their redirections don't attract much attention. Visitors who access forums using a search engine such as Google are redirected to a url123.info Url. It initially displays a blocking alert ( "Access denied" ) followed by arbitrary text but then loads a full page ad by InfinityAds. Even though these ads only generate a few pennies for the hackers, it is still a direct source of income for them. Some forum operators have noticed a decrease of up to 70% in traffic, so the overall income yield could be considerable.

Owners and those regular forum users accessing the site directly never see the redirection. Since a cookie already exists for those pages, most will not be able to reproduce the issue even when clicking through to the forum by way of Google. One way of reliably reproducing the redirection is to carry out a search with a browser in private or anonymous mode.


The German Typo3 forum is among the forums currently affected,, but some other reports date back several months. The cause remains unclear. A connection to vbSEO – a search engine optimization extension, is suspected. It appears that this extension was compromised in a way that allowed attackers to install malicious plug-ins via the forum administrator's account.

In their FAQs, the vbSEO developers have provided a tool for testing vBulletin installations. The vBulletin support team recommends a slightly more generic vBulletin test.