FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=116
Mar 26 2007 ~ "Search Engine Poisoning is a topic that we have have researched at some length. We discussed the topic briefly in an October blog post: Search Engine Typosquatting*. Our previous research focused on malicious URLs in search engine results from misspelled search terms; it was far less common to discover malicious content for legitimate search terms. In early March, a report from Sunbelt** demonstrated Microsoft Windows Live Search™ Italy returning exploit sites for extremely common search terms. Doing some additional research of our own, we performed searches for the names of financial companies, well-known banks, and lenders. The results were alarming. Many of the URLs in the search results linked to malicious sites capable of silently compromising the visitor..."

(More detail and screenshots at the URL above.)


* http://www.websense.com/securitylabs/blog/blog.php?BlogID=88

** http://sunbeltblog.blogspot.com/2007/03/malware-authors-take-over-live-searches.html

:fear:

FYI...

- http://www.siteadvisor.com/studies/search_safety_may2007
June 4, 2007 ~ "...Key Findings
* Overall, 4.0% of search results link to risky Web sites, which marks an improvement from 5.0% in May 2006. Dangerous sites are found in search results of all 5 of the top US search engines (representing 93% of all search engine use).
* The improvement in search engine safety is primarily due to safer sponsored results. The percentage of risky sites dropped from 8.5% in May 2006 to 6.9% in May 2007. However, sponsored results still contain 2.4 times as many risky sites as organic results.
* AOL returns the safest results: 2.9 % of results rated red1 or yellow2 by McAfee SiteAdvisor. At 5.4%, Yahoo! returns the most results rated red or yellow.
* Google, AOL, and Ask have become safer since May 2006, with Ask exhibiting the greatest improvement. The safety of search results on Yahoo! and MSN has declined..."

(Graphics available at the URL above.)


.

FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html
----------------------

Update:
- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

:fear::fear:

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

:devil:

Ongoing...

- http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE: Live Search has submitted the changes necessary to yank these URLs from the database."


:police:

FYI...

More Google poisoning on the way?
- http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html

:sad:

FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

- http://msmvps.com/blogs/spywaresucks/archive/2007/11/30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

:fear:

FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007/12/malware-exploiting-death-of-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://www.reuters.com/article/technologyNews/idUSL191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html

:fear:

FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

:fear:

FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmicro.com/bhutto-assassination-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

:fear:

FYI...

- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmicro.com/compromised-sites-heath-it-up/

(Screenshots available at both URLs above.)

I.E: http://www.cnet.com/8301-13554_1-9856450-33.html?tag=head
"...A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer..."

:fear:

FYI...

Search Engine Spam increasing
- http://www.messagelabs.com/intelligence.aspx
MessageLabs Intelligence (PDF report): January 2008 - "...much of this type of spam in recent weeks has also revealed a significant hike in the proportion of spam abusing search engine redirects. Typically Google and Yahoo search engines have been used in these spams. Search engine spam accounts for 17% of spam in January and has been in circulation for only a few weeks. Search engine spam is a technique that allows the spammer to include a link constructed from a search engine query in an email message. When followed, the link will resolve in the spammer’s forged web site. This means that the spammers can send messages without directly mentioning the spam website, which makes it difficult for traditional anti-spam products to detect the malicious link. While they may recognize known spam sites, they cannot reasonably block links to legitimate search engine sites. eBay recently instituted some changes to circumvent this type of attack method... the link in the email passes some special parameters to the Google search engine, using the inURL: keyword (which focuses the search only on the domain listed), and the BtnI= keyword (typically used by the “I’m feeling Lucky” button on Google)..."

:fear:

FYI...

- http://www.networkworld.com/news/2008/013108-attacker-google-blog.html
01/31/08 - "A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert. To trick readers looking for information related to legitimate security products, the blog - which has been spotted working under the name "Brittany" - has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, says Ofer Elzam, director of product management in Aladdin's eSafe division... Google states in its usage policy that "Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you"..."

:fear:

FYI...

All Your iFrame Are Point to Us (from the Google Anti-Malware Team)
- http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
February 11, 2008 - "...In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing... Some malware distribution sites had as many as 21,000 regular web sites pointing to them. We also found that the majority of malware was hosted on web servers located in China. Interestingly, Chinese malware distribution sites are mostly pointed to by Chinese web servers. We hope that an analysis such as this will help us to better understand the malware problem in the future and allow us to protect users all over the Internet from malicious web sites as best as we can. One thing is clear - we have a lot of work ahead of us."

:fear:

FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
"On March 4, 2008 reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script injection issue which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site which attempts to install a rogue ActiveX control. On March 6, 2008 the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com and MySimon.com are also affected by a similar issue.
More CNET Sites Under IFRAME Attack - http://ddanchev.blogspot.com/2008_03_01_archive.html
Fraudsters piggyback on search engines - http://www.securityfocus.com/brief/695 "

:fear::fear:

FYI...

Google Ads abused to serve Spam and Malware
- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs) - "Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites... At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end. One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service... Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these -redirects- working for known bad file types or for spam and malware sites."

:fear:

Massive IFRAME SEO Poisoning Attack Continuing...

- http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
March 28, 2008 - "Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of. What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves... The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants: USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu... For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours..."

- http://www.securityfocus.com/blogs/708
2008-03-28 - "...Danchev... published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter (block):
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well..."

(Please do NOT visit any of the IPs in the commentary - they are to be considered dangerous.)

:fear::mad::fear:

FYI...

- http://www.theregister.co.uk/2008/03/31/compromised_site_survey/
31 March 2008 - "...ScanSafe found the amount of time a website hosting malicious code remains live increased during the second half of 2007. Malware on infected sites remained live for an average of 29 days in 2H07, up 62 per cent from the first half of the year. Forms of malware undetected by scanner packages have an even a longer shelf life once they compromise a site, persisting an average of 61 days in the second half of 2007."

:fear:

FYI...

- http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
31 Mar 2008 - "A malware attack targeting search engine results is continuing to haunt several high-profile sites. The attack uses the common cross-site scripting practice of embedding pages with small IFrame tags which redirect the user to a malicious page on a third-party site... The hackers have compromised search result pages, using search engine optimisation techniques to hijack search results and send users to sites which host malicious downloads. Among the sites said to be compromised are major news outlets ABC, USAToday and Forbes, and retailers Wal-Mart, Target and Sears... Administrators can protect against the attack by plugging the input validation vulnerabilities used to seed the malicious code within the pages..."

SANS NewsBites Vol. 10 Num. 26
- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=26#sID307
4/1/2008 - "...you can make the world a better place by blocking four IP addresses,:
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85 ..."

(Once again, please do NOT visit those IPs, just BLOCK them.)

:fear::spider:

FYI...

- http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html
April 05, 2008 - "As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs)... This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related..."

(...because it works. Screenshots available at the URL above.)

:fear:

FYI...

- http://www.trustedsource.org/TS?do=threats&subdo=blog&id=31
April 7, 2008 - "The infamous “Storm worm” is back and now the spam messages contain links to the domain blogspot .com - Google’s Blogger service. The spammed subjects look like “Crazy in love with you“, “I Love Being In Love With You” or “Fallen for you“. The mail body contains just simple short sentences like “I’ll never stope loving you“, “With All My Love” or “Deeply in love with you“, followed by a link to Blogger... When a curious user will follow the lure, he will be presented a Blogger web site like above. An executable file named ‘withlove.exe‘ is linked and downloaded from another fast-fluxing domain... BTW: Storm is not the first malware which invades Blogger. Last year Zlob was also present on many Blogs, waiting to show the infamous missing codec error messages. So be aware..."

:fear:

FYI...

- http://preview.tinyurl.com/5hq4xc
16 Apr 2008 | SearchSecurity.com - "...The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site. In his analysis of the malware utility, ISC handler Bojan Zdrnja wrote* that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites..."
* http://isc.sans.org/diary.html?storyid=4294

:fear:

FYI...

- http://securitylabs.websense.com/content/Blogs/3068.aspx
4.17.2008 - "... research has uncovered a case where a museum's compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served -only- when the referrers for the request are certain high-profile image search sites... For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www .google.com) was used for the same image with the same URL, the result was the proper page, -without- the malicious redirect. So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
* images.google.com
* images.search.yahoo.com
* www .altavista.com/image/default
* search.live.com/images/
... another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered... it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content."

(Screenshots available at the URL above.)

:fear:

FYI...

Google Pages Porn Malware Invasion Continues Unabated
- http://sunbeltblog.blogspot.com/2008/04/google-pages-porn-malware-invasion.html
April 17, 2008 - "... Hundreds of thousands of pages, if not over a million. Examples (warning: graphic language)... And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”... file being pushed, setup.exe, is a trojan. Or, let's use the search term “McAfee download”... (I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.) These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links... Or how about keeping it simple, and just saying “free download”? Malware!... A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage..."

(Screenshots available at the URL above.)

:fear::fear:

FYI... (now, not "malware", just FRAUD)

- http://www.networkworld.com/news/2008/050208-google-adwords-fuel-new-url.html
05/02/2008 - "Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks. On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards... As obvious as this might sound, the unwary might easily be tricked by the convincing http ://adwords .google .com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to hxxp ://www .adwords .google .com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic. The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will ripped off. The attack has been publicized by security software company Trend Micro*, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days..."
* http://blog.trendmicro.com/google-adwords-phishing/
May 1, 2008

:fear::fear:

FYI...

- http://sunbeltblog.blogspot.com/2008/05/mcafee-deal-with-yahoo.html
May 06, 2008 - "...McAfee announced a deal with Yahoo* to have search results filtered through SiteAdvisor..."
* http://www.news.com/8301-10784_3-9936682-7.html?tag=nl.e703

Good deal - for users, too.


:bigthumb:

FYI...

- http://preview.tinyurl.com/5cvvdw
June 24, 2008 (Infoworld) - "...Stopbadware.org released data on "badware" Web sites on Tuesday, saying that Google was one of the top five networks responsible for hosting these dangerous Web sites.
The numbers show that China is now a top source of malicious Web sites -- China-based networks hosted more than half of the malicious Web sites tracked by the group -- but Google's appearance on the list is perhaps more remarkable...
A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related Web pages... In March, Google was the top badware network tracked by Stopbadware*..."

* http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008
Top Infected IP Addresses

> http://www.stopbadware.org/home/badwebs

:fear::spider:

FYI...

A Million Search Strings to Get Infected
- http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
August 15, 2008 - "...We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites. Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage. How does this work? A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections... After all the fake notifications, the user will be asked to download AV2009Install_880488.exe. The other fake antivirus will lead users to hxxp ://scan. free-antispyware-scanner. com ... This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)
According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves). This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead. Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between. Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles."

(Screenshots available at the TrendMicro URL above.)

:fear::fear:

FYI...

Continuing problem - malware advertised in Google Adwords
- http://sunbeltblog.blogspot.com/2008/08/continuing-problem-of-malware-being.html
August 23, 2008 - "Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008... An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2008/08/i-can-resist-irony.html
August 23, 2008 (Yet another Screenshot)

:fear::mad:

FYI...

More Google searches resulting in rogue AV
- http://blog.trendmicro.com/more-google-searches-resulting-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www .google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/bogus-housecall-search-results-lead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

:fear::mad:

FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustotal.com/analisis/5360054b5e2f7c54a81de81583e36fa0

:fear::mad::fear:

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages... it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

:fear::fear::fear: