PDA

View Full Version : Search Engine Poisoning - archive



AplusWebMaster
2007-03-27, 02:21
FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=116
Mar 26 2007 ~ "Search Engine Poisoning is a topic that we have have researched at some length. We discussed the topic briefly in an October blog post: Search Engine Typosquatting*. Our previous research focused on malicious URLs in search engine results from misspelled search terms; it was far less common to discover malicious content for legitimate search terms. In early March, a report from Sunbelt** demonstrated Microsoft Windows Live Search™ Italy returning exploit sites for extremely common search terms. Doing some additional research of our own, we performed searches for the names of financial companies, well-known banks, and lenders. The results were alarming. Many of the URLs in the search results linked to malicious sites capable of silently compromising the visitor..."

(More detail and screenshots at the URL above.)


* http://www.websense.com/securitylabs/blog/blog.php?BlogID=88

** http://sunbeltblog.blogspot.com/2007/03/malware-authors-take-over-live-searches.html

:fear:

AplusWebMaster
2007-06-05, 01:05
FYI...

- http://www.siteadvisor.com/studies/search_safety_may2007
June 4, 2007 ~ "...Key Findings
* Overall, 4.0% of search results link to risky Web sites, which marks an improvement from 5.0% in May 2006. Dangerous sites are found in search results of all 5 of the top US search engines (representing 93% of all search engine use).
* The improvement in search engine safety is primarily due to safer sponsored results. The percentage of risky sites dropped from 8.5% in May 2006 to 6.9% in May 2007. However, sponsored results still contain 2.4 times as many risky sites as organic results.
* AOL returns the safest results: 2.9 % of results rated red1 or yellow2 by McAfee SiteAdvisor. At 5.4%, Yahoo! returns the most results rated red or yellow.
* Google, AOL, and Ask have become safer since May 2006, with Ask exhibiting the greatest improvement. The safety of search results on Yahoo! and MSN has declined..."

(Graphics available at the URL above.)


.

AplusWebMaster
2007-11-28, 02:21
FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html
----------------------

Update:
- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

:fear::fear:

AplusWebMaster
2007-11-29, 00:26
FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

:devil:

AplusWebMaster
2007-11-29, 15:20
Ongoing...

- http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE: Live Search has submitted the changes necessary to yank these URLs from the database."


:police:

AplusWebMaster
2007-11-29, 21:43
FYI...

More Google poisoning on the way?
- http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html

:sad:

AplusWebMaster
2007-11-30, 16:09
FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

- http://msmvps.com/blogs/spywaresucks/archive/2007/11/30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

:fear:

AplusWebMaster
2007-12-03, 19:59
FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007/12/malware-exploiting-death-of-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

:fear:

AplusWebMaster
2007-12-19, 18:36
FYI...

- http://www.reuters.com/article/technologyNews/idUSL191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html

:fear:

AplusWebMaster
2007-12-27, 03:28
FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

:fear:

AplusWebMaster
2007-12-28, 14:40
FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmicro.com/bhutto-assassination-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

:fear:

AplusWebMaster
2008-01-28, 10:27
FYI...

- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmicro.com/compromised-sites-heath-it-up/

(Screenshots available at both URLs above.)

I.E: http://www.cnet.com/8301-13554_1-9856450-33.html?tag=head
"...A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer..."

:fear:

AplusWebMaster
2008-01-30, 13:54
FYI...

Search Engine Spam increasing
- http://www.messagelabs.com/intelligence.aspx
MessageLabs Intelligence (PDF report): January 2008 - "...much of this type of spam in recent weeks has also revealed a significant hike in the proportion of spam abusing search engine redirects. Typically Google and Yahoo search engines have been used in these spams. Search engine spam accounts for 17% of spam in January and has been in circulation for only a few weeks. Search engine spam is a technique that allows the spammer to include a link constructed from a search engine query in an email message. When followed, the link will resolve in the spammer’s forged web site. This means that the spammers can send messages without directly mentioning the spam website, which makes it difficult for traditional anti-spam products to detect the malicious link. While they may recognize known spam sites, they cannot reasonably block links to legitimate search engine sites. eBay recently instituted some changes to circumvent this type of attack method... the link in the email passes some special parameters to the Google search engine, using the inURL: keyword (which focuses the search only on the domain listed), and the BtnI= keyword (typically used by the “I’m feeling Lucky” button on Google)..."

:fear:

AplusWebMaster
2008-02-04, 18:18
FYI...

- http://www.networkworld.com/news/2008/013108-attacker-google-blog.html
01/31/08 - "A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert. To trick readers looking for information related to legitimate security products, the blog - which has been spotted working under the name "Brittany" - has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, says Ofer Elzam, director of product management in Aladdin's eSafe division... Google states in its usage policy that "Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you"..."

:fear:

AplusWebMaster
2008-02-12, 22:14
FYI...

All Your iFrame Are Point to Us (from the Google Anti-Malware Team)
- http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
February 11, 2008 - "...In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing... Some malware distribution sites had as many as 21,000 regular web sites pointing to them. We also found that the majority of malware was hosted on web servers located in China. Interestingly, Chinese malware distribution sites are mostly pointed to by Chinese web servers. We hope that an analysis such as this will help us to better understand the malware problem in the future and allow us to protect users all over the Internet from malicious web sites as best as we can. One thing is clear - we have a lot of work ahead of us."

:fear:

AplusWebMaster
2008-03-07, 02:10
FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
"On March 4, 2008 reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script injection issue which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site which attempts to install a rogue ActiveX control. On March 6, 2008 the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com and MySimon.com are also affected by a similar issue.
More CNET Sites Under IFRAME Attack - http://ddanchev.blogspot.com/2008_03_01_archive.html
Fraudsters piggyback on search engines - http://www.securityfocus.com/brief/695 "

:fear::fear:

AplusWebMaster
2008-03-18, 21:51
FYI...

Google Ads abused to serve Spam and Malware
- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs) - "Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites... At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end. One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service... Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these -redirects- working for known bad file types or for spam and malware sites."

:fear:

AplusWebMaster
2008-03-28, 15:10
Massive IFRAME SEO Poisoning Attack Continuing...

- http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
March 28, 2008 - "Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of. What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves... The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants: USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu... For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours..."

- http://www.securityfocus.com/blogs/708
2008-03-28 - "...Danchev... published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter (block):
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well..."

(Please do NOT visit any of the IPs in the commentary - they are to be considered dangerous.)

:fear::mad::fear:

AplusWebMaster
2008-03-31, 13:46
FYI...

- http://www.theregister.co.uk/2008/03/31/compromised_site_survey/
31 March 2008 - "...ScanSafe found the amount of time a website hosting malicious code remains live increased during the second half of 2007. Malware on infected sites remained live for an average of 29 days in 2H07, up 62 per cent from the first half of the year. Forms of malware undetected by scanner packages have an even a longer shelf life once they compromise a site, persisting an average of 61 days in the second half of 2007."

:fear:

AplusWebMaster
2008-04-01, 22:36
FYI...

- http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
31 Mar 2008 - "A malware attack targeting search engine results is continuing to haunt several high-profile sites. The attack uses the common cross-site scripting practice of embedding pages with small IFrame tags which redirect the user to a malicious page on a third-party site... The hackers have compromised search result pages, using search engine optimisation techniques to hijack search results and send users to sites which host malicious downloads. Among the sites said to be compromised are major news outlets ABC, USAToday and Forbes, and retailers Wal-Mart, Target and Sears... Administrators can protect against the attack by plugging the input validation vulnerabilities used to seed the malicious code within the pages..."

SANS NewsBites Vol. 10 Num. 26
- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=26#sID307
4/1/2008 - "...you can make the world a better place by blocking four IP addresses,:
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85 ..."

(Once again, please do NOT visit those IPs, just BLOCK them.)

:fear::spider:

AplusWebMaster
2008-04-06, 19:05
FYI...

- http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html
April 05, 2008 - "As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs)... This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related..."

(...because it works. Screenshots available at the URL above.)

:fear:

AplusWebMaster
2008-04-07, 21:50
FYI...

- http://www.trustedsource.org/TS?do=threats&subdo=blog&id=31
April 7, 2008 - "The infamous “Storm worm” is back and now the spam messages contain links to the domain blogspot .com - Google’s Blogger service. The spammed subjects look like “Crazy in love with you“, “I Love Being In Love With You” or “Fallen for you“. The mail body contains just simple short sentences like “I’ll never stope loving you“, “With All My Love” or “Deeply in love with you“, followed by a link to Blogger... When a curious user will follow the lure, he will be presented a Blogger web site like above. An executable file named ‘withlove.exe‘ is linked and downloaded from another fast-fluxing domain... BTW: Storm is not the first malware which invades Blogger. Last year Zlob was also present on many Blogs, waiting to show the infamous missing codec error messages. So be aware..."

:fear:

AplusWebMaster
2008-04-17, 14:51
FYI...

- http://preview.tinyurl.com/5hq4xc
16 Apr 2008 | SearchSecurity.com - "...The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site. In his analysis of the malware utility, ISC handler Bojan Zdrnja wrote* that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites..."
* http://isc.sans.org/diary.html?storyid=4294

:fear:

AplusWebMaster
2008-04-18, 03:16
FYI...

- http://securitylabs.websense.com/content/Blogs/3068.aspx
4.17.2008 - "... research has uncovered a case where a museum's compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served -only- when the referrers for the request are certain high-profile image search sites... For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www .google.com) was used for the same image with the same URL, the result was the proper page, -without- the malicious redirect. So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
* images.google.com
* images.search.yahoo.com
* www .altavista.com/image/default
* search.live.com/images/
... another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered... it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content."

(Screenshots available at the URL above.)

:fear:

AplusWebMaster
2008-04-18, 04:56
FYI...

Google Pages Porn Malware Invasion Continues Unabated
- http://sunbeltblog.blogspot.com/2008/04/google-pages-porn-malware-invasion.html
April 17, 2008 - "... Hundreds of thousands of pages, if not over a million. Examples (warning: graphic language)... And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”... file being pushed, setup.exe, is a trojan. Or, let's use the search term “McAfee download”... (I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.) These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links... Or how about keeping it simple, and just saying “free download”? Malware!... A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage..."

(Screenshots available at the URL above.)

:fear::fear:

AplusWebMaster
2008-05-03, 23:43
FYI... (now, not "malware", just FRAUD)

- http://www.networkworld.com/news/2008/050208-google-adwords-fuel-new-url.html
05/02/2008 - "Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks. On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards... As obvious as this might sound, the unwary might easily be tricked by the convincing http ://adwords .google .com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to hxxp ://www .adwords .google .com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic. The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will ripped off. The attack has been publicized by security software company Trend Micro*, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days..."
* http://blog.trendmicro.com/google-adwords-phishing/
May 1, 2008

:fear::fear:

AplusWebMaster
2008-05-06, 19:52
FYI...

- http://sunbeltblog.blogspot.com/2008/05/mcafee-deal-with-yahoo.html
May 06, 2008 - "...McAfee announced a deal with Yahoo* to have search results filtered through SiteAdvisor..."
* http://www.news.com/8301-10784_3-9936682-7.html?tag=nl.e703

Good deal - for users, too.


:bigthumb:

AplusWebMaster
2008-06-25, 17:06
FYI...

- http://preview.tinyurl.com/5cvvdw
June 24, 2008 (Infoworld) - "...Stopbadware.org released data on "badware" Web sites on Tuesday, saying that Google was one of the top five networks responsible for hosting these dangerous Web sites.
The numbers show that China is now a top source of malicious Web sites -- China-based networks hosted more than half of the malicious Web sites tracked by the group -- but Google's appearance on the list is perhaps more remarkable...
A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related Web pages... In March, Google was the top badware network tracked by Stopbadware*..."

* http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008
Top Infected IP Addresses

> http://www.stopbadware.org/home/badwebs

:fear::spider:

AplusWebMaster
2008-08-16, 14:10
FYI...

A Million Search Strings to Get Infected
- http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
August 15, 2008 - "...We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites. Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage. How does this work? A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections... After all the fake notifications, the user will be asked to download AV2009Install_880488.exe. The other fake antivirus will lead users to hxxp ://scan. free-antispyware-scanner. com ... This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)
According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves). This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead. Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between. Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles."

(Screenshots available at the TrendMicro URL above.)

:fear::fear:

AplusWebMaster
2008-08-24, 03:31
FYI...

Continuing problem - malware advertised in Google Adwords
- http://sunbeltblog.blogspot.com/2008/08/continuing-problem-of-malware-being.html
August 23, 2008 - "Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008... An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2008/08/i-can-resist-irony.html
August 23, 2008 (Yet another Screenshot)

:fear::mad:

AplusWebMaster
2008-11-06, 20:38
FYI...

More Google searches resulting in rogue AV
- http://blog.trendmicro.com/more-google-searches-resulting-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www .google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

:fear:

AplusWebMaster
2008-11-24, 17:32
FYI...

- http://blog.trendmicro.com/bogus-housecall-search-results-lead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

:fear::mad:

AplusWebMaster
2008-12-24, 13:55
FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustotal.com/analisis/5360054b5e2f7c54a81de81583e36fa0

:fear::mad::fear:

AplusWebMaster
2009-01-07, 20:36
FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages... it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

:fear::fear::fear:

AplusWebMaster
2009-01-18, 23:55
FYI...

- http://sunbeltblog.blogspot.com/2009/01/new-google-adwords-phishing-run.html
January 18, 2009 - "Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Burkina Faso and EU (.be and .eu)... All fast flux... And all appear to have been registered with Tucows..."

(Screenshots available at the URL above.)

:fear::mad:

AplusWebMaster
2009-02-02, 15:36
FYI...

- http://blog.trendmicro.com/google-video-searches-being-poisoned/
Feb. 1, 2009 - "... new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations. Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.
Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm - file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy - spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install. What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings. A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.
Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists..."

:fear:

AplusWebMaster
2009-03-12, 10:47
FYI...

Yahoo! sponsored search results lead to rogues
* http://preview.tinyurl.com/db25xj
03-10-2009 06:25PM - Symantec Security Response Blog - "Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products). This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new .com and Antivirus-pro-download .com are returned in Yahoo!... The sponsored search result leads to antivirus-2009-new .com and antivirus-pro-download .com, where users are asked to make a payment to buy a membership in order to obtain the product.
>>> Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results...
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new .com.” For “antivirus-pro-download .com,” Yahoo returned around 10,000 results and Google returned around 1,650 results..."

(Screenshots available at the Symantec URL* above.)

:fear::mad::fear:

AplusWebMaster
2009-03-16, 21:02
FYI...

- http://securitylabs.websense.com/content/Alerts/3322.aspx
03.16.2009 - " Websense... has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.
With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the -first- result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a user clicks through these links (such as hxxp ://[removed].de/news/nit_bracket_2009 .html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner..."

(Screenshots available at the Websense URL above.)

:fear::mad:

AplusWebMaster
2009-04-15, 01:58
FYI...

Twitter worm Google searches lead to malware
- http://www.f-secure.com/weblog/archives/00001657.html
April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results."

(Screenshots available at the URL above.)

:sad::fear:

AplusWebMaster
2009-04-23, 02:46
FYI...

SEO campaign serving scareware
- http://ddanchev.blogspot.com/2009/04/massive-blackhat-seo-campaign-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)

:fear::mad::fear:

AplusWebMaster
2009-04-27, 17:14
FYI...

Swine Flu SEO...
- http://www.f-secure.com/weblog/archives/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure.com/weblog/archives/swineflu_domains.txt

:fear::sad:

AplusWebMaster
2009-05-04, 00:27
Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/safebrowsing/diagnostic?site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/safebrowsing/diagnostic?site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/safebrowsing/diagnostic?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/safebrowsing/diagnostic?site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/safebrowsing/diagnostic?site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/safebrowsing/diagnostic?site=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/safebrowsing/diagnostic?site=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/safebrowsing/diagnostic?site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

:fear::spider::fear:

AplusWebMaster
2009-05-08, 14:06
FYI...

Swine Flu SEO spreads malware
- http://securitylabs.websense.com/content/Alerts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

:fear::fear:

AplusWebMaster
2009-05-28, 01:04
FYI...

- http://preview.tinyurl.com/punx42
2009-05-27 Eweek.com - "... McAfee* researched more than 2,600 popular keywords, as defined by Google Zeitgeist and other sources. The words were ranked by maximum risk, which was determined by the maximum percentage of malicious sites a user would encounter on a single page of search results. According to the company, "screensavers" was found to be especially dangerous, garnering a maximum risk of 59.1 percent. The word "lyrics" came in second with a maximum risk factor of one in two. Surprisingly, searches using the word Viagra—a word that makes its way into more than a few spam e-mails—yielded the fewest risky sites, McAfee reported. Clicking on results that contain the word "free" brings a 21.3 percent chance of infecting your PC, according to McAfee's calculations. Those interested in telecommuting don't fare much better—results with the phrase "work from home" were found to be four times riskier than the average risk of all popular terms. Security vendors have noted the trend of hackers poisoning search engine results a number of times this year, most recently with the Gumblar attacks. In that case, victims were infected with malware that, when the victim performed a subsequent Google search, replaced the results with links leading to malicious pages..."
* http://newsroom.mcafee.com/article_display.cfm?article_id=3526
May 27, 2009

:fear::fear:

AplusWebMaster
2009-06-06, 04:10
FYI...

- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

:fear::mad:

AplusWebMaster
2009-06-16, 20:04
FYI...

Google search abused - again
- http://blog.trendmicro.com/another-google-search-feature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."

:fear::mad:

AplusWebMaster
2009-06-26, 14:46
FYI...

Blackhat SEO quick to abuse death of celebrities
- http://blog.trendmicro.com/blackhat-seo-quick-to-abuse-farrah-fawcett-death/
June 25, 2009 - "Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news... Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities... Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system."

- http://isc.sans.org/diary.html?storyid=6646
Last Updated: 2009-06-26 01:19:23 UTC

:fear::fear:

AplusWebMaster
2009-07-27, 23:33
FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs.websense.com/content/Alerts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

:fear::mad:

AplusWebMaster
2009-08-21, 15:17
FYI...

Free Online Movie Blogs... Trojan for Windows and Mac
- http://www.symantec.com/connect/blogs/free-online-movie-blogs-serving-trojan-windows-and-mac
August 20, 2009 - "We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware. The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name... The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie... However, when a user clicks on the link it redirects to a blog hosted on blogspot.com... Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot .com has been abused by attackers with multiple, similarly styled posts... These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware. Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system... Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites..."

(Screenshots available at the URL above.)

:fear::mad::fear:

AplusWebMaster
2009-09-04, 19:45
FYI...

Malicious blogs on Blogspot...
- http://www.symantec.com/connect/blogs/busy-days-koobface-gang
September 1, 2009 - "... We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques. The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones... The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post* by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs..."
* http://www.finjan.com/MCRCblog.aspx?EntryId=2317

(Screenshots available at the URL above.)

:fear::mad:

AplusWebMaster
2009-09-05, 13:19
FYI...

Labor Day - SEO Poisoning leads to Rogue Antivirus
- http://securitylabs.websense.com/content/Alerts/3471.aspx
09.04.2009 - "Websense... has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country. When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way..."

(Screenshots available at the URL above.)

:fear::mad::fear:

AplusWebMaster
2009-09-25, 15:33
FYI...

SEO poisoning - Ann Minch's YouTube video
- http://securitylabs.websense.com/content/Alerts/3482.aspx
09.24.2009 - " Websense... has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times. When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection*..."
* http://www.virustotal.com/analisis/665c1637e679965a73ebd988a1ba4b9154c8b408a8fdc37eb7520b04d766489f-1253761961
File 549170E10037D51580D70240C1E1C6001E217750.exe received on 2009.09.24 03:12:41 (UTC)
Result: 1/41 (2.44%)

(Screenshots available at the Websense URL above.)

:mad:

AplusWebMaster
2009-09-29, 00:36
FYI...

iPhone Blackhat SEO Poisoning Leads to Total Security Rogue Antivirus
- http://securitylabs.websense.com/content/Blogs/3483.aspx
09.28.2009 - "Websense... has detected that Google searches on terms related to iPhone SMS information are returning results that lead to rogue antivirus software. The Apple iPhone is one of the most popular smart phones on the market, and it's quite typical for users to google for information relating to SMS and other features of the iPhone. When Google is used to search for terms related to iPhone SMS information, malicious URLs are returned as high as the sixth result. When a user clicks an affected search-result link, they are redirected to a Web site advising that their machine is infected with malicious threats. It then proceeds to offer rogue or fake AV software... If a user clicks on a link controlled by attackers in this scheme, they are redirected through a series of sites via 302 redirects. The final landing page attempts a scareware technique of warning the user that they have been infected with malware and must clean their system. The user is then prompted to download fake antivirus software... The use of Blackhat SEO leading to Rogue AV will only increase in the upcoming year. This scare tactic has proved to be a very successful method of social-engineering users into installing software onto their computers and tricking them into paying for it..."

(Screenshots available at the URL above.)

:fear::fear:

AplusWebMaster
2009-09-30, 18:00
FYI...

SEO Poisoning - MS Security Essentials ...
- http://securitylabs.websense.com/content/Alerts/3485.aspx
09.30.2009 - " Websense... has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV. Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association. When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31. An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc). If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site to check internet connectivity. Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted). Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today..."

(Screenshots available at the Websense URL above.)

:mad::spider::mad:

AplusWebMaster
2009-09-30, 23:05
FYI...

SEO Poisoning - Google Wave
- http://securitylabs.websense.com/content/Alerts/3486.aspx
09.30.2009 - " Websense... has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today. There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results...
Malware sample 1:
http://www.virustotal.com/analisis/4cd2e550f3aa26fc96d9fb4b5183f3665fccc3d97b6111a31de2ffb41e4eb5fe-1254334125
File Soft_88s2.exe received on 2009.09.30 18:08:45 (UTC)
Result: 6/41 (14.63%)
Malware sample 2:
http://www.virustotal.com/analisis/4cd2e550f3aa26fc96d9fb4b5183f3665fccc3d97b6111a31de2ffb41e4eb5fe-1254330166
File Soft_207.exe received on 2009.09.30 17:02:46 (UTC)
Result: 7/41 (17.07%)
Malware sample 3:
http://www.virustotal.com/analisis/a626299cc285d3c9e5c3226d71bf3f09a0069aca3fa3680a06aed5ae14efa76d-1254330677
File setup_build7_201.exe received on 2009.09.30 17:11:17 (UTC)
Result: 4/41 (9.76%)
Malware sample 4:
http://www.virustotal.com/analisis/88cbe1cfab119112ef26864a7ac11dcd39fc2d7265ac30572b5c811c7527ab34-1254331243
File setup.exe received on 2009.09.30 17:20:43 (UTC)
Result: 9/41 (21.95%) ..."

(Screenshots showing Google Wave-related Google search results and Rogue AV at the Websense URL above.)

:fear::fear:

AplusWebMaster
2009-10-01, 14:48
FYI...

SEO poisoning - Samoa Earthquake News leads to Rogue AV
- http://www.f-secure.com/weblog/archives/00001779.html
September 30, 2009 - "It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii. Readers looking for news articles on the earthquake may come across this page in the Google search results... On clicking the link, the user is redirected to a series of sites via 302 redirects... The final landing page warns the user that their "system is infected"... The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software. As usual, be careful when browsing.,,"

(Screenshots available at the URL above.)

:fear::fear:

AplusWebMaster
2009-10-29, 21:58
FYI...

Halloween rogue AV
- http://www.eset.com/threat-center/blog/2009/10/29/halloween-theres-something-scary-in-your-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmicro.com/this-halloween-enjoy-the-treats-but-be-wary-of-online-tricks/
Oct. 30, 2009

:fear::mad:

AplusWebMaster
2009-11-18, 15:08
FYI...

More FAKE AV - SEO poisoning
- http://blog.trendmicro.com/meteor-shower-and-new-moon-lead-to-fakeav/
Nov. 18, 2009 - "TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET... FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches..."

(Screenshots available at the URL above.)

:mad:

AplusWebMaster
2009-11-19, 14:27
FYI...

Redirects to scareware - Thousands of web sites compromised
- http://blogs.zdnet.com/security/?p=4947
November 17, 2009 - "Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe)*, commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js** (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu... the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet..."
* http://www.virustotal.com/analisis/86c36d1105b1cdce5ea05f46a884b7d1ea14e563bb12970c9540bc0af808687e-1258481993
File nnovv_Inst_312s2.exe received on 2009.11.17 18:19:53 (UTC)
Result: 1/41 (2.44%)
** http://www.virustotal.com/analisis/7892e2b09d887a66a4d70e49a08feef36f4dbda6cc605d2e1191613b87a863be-1258479383
File css.js received on 2009.11.17 17:36:23 (UTC)
Result: 7/41 (17.07%)

- http://blog.trendmicro.com/fake-blogs-lead-to-fakeav/
Nov. 19, 2009

- http://blogs.zdnet.com/security/?p=4297&page=2
"... the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered as a fear mongering tactic..."

:fear::mad::fear:

AplusWebMaster
2009-12-21, 13:28
FYI...

Brittany Murphy's death - SEO Poisoning
- http://securitylabs.websense.com/content/Alerts/3514.aspx
12.21.2009 - "Websense... has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe*, and at the moment it seems they haven't attracted much attention from AV companies..."
* http://www.virustotal.com/analisis/3ba13e14e32494a75d79f8c76ec76b185c854d4143b4acd4286444a320f15aee-1261366024
File install.exe received on 2009.12.21 03:27:04 (UTC)
Result: 10/41 (24.39%)

(Screenshots available at the Websense URL above.)

- http://www.f-secure.com/weblog/archives/00001842.html
December 21, 2009

:fear::mad:

AplusWebMaster
2010-01-08, 15:20
FYI...

Office.Microsoft.Com search results can lead to Rogue AV
- http://securitylabs.websense.com/content/Alerts/3519.aspx?
01.08.2010 - "Websense... has detected that search results on office.microsoft.com can lead users to a Rogue AV page. Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http ://office.microsoft .com, this is particularly troubling for users who trust sites simply because of their reputation. The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total*...."
* http://www.virustotal.com/analisis/3322d75a2efbc649c726c7258e9ade91dc13f2d35cc1360ac4248e3c62a1ad3d-1262943359
File Setup55530_2045-10.exe received on 2010.01.08 09:35:59 (UTC)
Result: 1/41 (2.44%)

(Screenshot/video available at the Websense URL above.)

:fear::mad:

AplusWebMaster
2010-01-12, 03:48
FYI...

Black Hat SEO Ice Skating Car Video
- http://securitylabs.websense.com/content/Alerts/3522.aspx?
01.11.2010 - "Websense... has discovered that a popular video called "Paignton Ice Skating for Cars" has been targeted by both SEO poisoning attacks as well as Web spam. As a wave of icy weather is currently hitting large parts of Europe, the video has proved to be very popular, with currently more than 850,000 hits on Yahoo Video. A different uploaded version on YouTube has had more than 1 million views so far. Criminals have used the video's popularity as an opportunity to spread rogue anti-virus programs by poisoning the search results of major search engines. When the term "ice skating car" is searched via Google, nearly half of the search results on the first page redirect the user to rogue anti-virus sites. Clicking any of those links takes the user to a Web site with the message: "Your PC is at risk of virus and malware attack." That's an old trick used to lure unsuspecting users to download a fake anti-virus installer... The black hat search results in Google -redirect- the user through several sites, most of which are hosted in Russia, before finally landing in the rogue anti-virus site. The criminals often change the second site in the redirection chain in order to make it harder to detect. The file has a relatively low AV detection rate*..."
(Screenshot available at the Websense URL above.)
* http://www.virustotal.com/analisis/22a57e63ba0fb00cde7aace01c581583dab6c20b48f241e9ff30d0fea541657b-1263209375
File packupdate_build6_294.exe received on 2010.01.11 11:29:35 (UTC)
Result: 10/41 (24.39%)

:fear::mad:

AplusWebMaster
2010-01-14, 01:41
FYI...

Black Hat SEO - Haiti Earthquake
- http://securitylabs.websense.com/content/Alerts/3524.aspx
01.13.2010 - "Websense... has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program. The earthquake, which happened on Tuesday near Port-au-Prince, had a magnitude of 7.0 and is said to be the most powerful earthquake to hit Haiti... People around the world are searching the Internet to find the latest updates on this issue, wanting to know how to make charitable donations, trying to discover the extent of the calamity through photos or videos, and looking to see what their favorite artists and musicians are saying about the disaster. Unfortunately, the bad guys use major crises and events like this to spread their malicious code*..."
* http://www.virustotal.com/analisis/a1c0b23dcfa9bc10f2cdb55c1358c5bd7c01c903a2aa9829f205b73137d30e89-1263413836
File Setup_88s1.exe received on 2010.01.13 20:17:16 (UTC)
Result: 4/41 (9.76%)
* http://www.virustotal.com/analisis/b291101a733cb656f39c3b85a887e2f5b9730a8564c09d3d80b49560c23f0458-1263404507
File packupdate_build9_290.exe received on 2010.01.13 17:41:47 (UTC)
Result: 8/41 (19.51%)

(Screenshots available at the Websense URL above.)

- http://www.m86security.com/labs/i/Possible-Earthquake-in-Haiti-Scams,trace.1217~.asp
January 13, 2010

:fear::mad::fear:

AplusWebMaster
2010-01-26, 19:17
FYI...

Searches for free printable items lead to mal-domains
- http://blog.trendmicro.com/searches-for-free-printable-items-lead-to-mal-domains/
Jan 26, 2010 - "... blackhat SEO attack that uses strings with the phrase “free printable” to hijack search traffic by directing it into a rogue search engine. Our researchers have found that search engine queries using the string “free printable” yield results that include compromised websites. The said compromised websites are rigged with malicious JavaScripts detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC triggers a set of redirections whenever the compromised sites are visited. The redirections ultimately lead to a rogue search engine, which by default puts the originally used search string into its own search text box. As of now, the cybercriminals’ goal in all this seems to be hijacking search traffic from search engines, and -redirect- them into their own search engine to earn them money. If it stays as such is not yet known, but users need to be wary, since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site... It is very possible that this blackhat search engine optimization (SEO) attack takes advantage of the fact that the interest for free printable items is relatively high, especially in South Africa and the United States. We are strongly advising users -not- to use search strings that include the word “free printable,” as the results may lead to malicious websites. We are currently monitoring this attack and will update this entry for developments..."

(Screenshots available at the URL above.)

:fear::mad:

AplusWebMaster
2010-01-28, 16:20
FYI...

More SEO poisoning attacks...
- http://isc.sans.org/diary.html?storyid=8098
Last Updated: 2010-01-27 23:24:06 UTC - "... Recently we got details about two active SEO poisoning attacks for two specific hot topics:
* A new Facebook unnamed app. Sample search term: "facebook unnamed app".
- http://countermeasures.trendmicro.eu/facebook-un-named-app-scare-leads-to-malware/
* Today's Apple tablet announcement, called iPad. Sample search term: "apple tablet announcement".
- http://securitylabs.websense.com/content/Alerts/3538.aspx?cmpid=slalert
The related search terms for these two hot topics in Google are returning top results pointing to sites that distribute malware. Apart from the common defense-in-depth practices regarding client and end point protection, one of the best recommendations is to demonstrate this type of attack on your security awareness programs, so that users do not blindly trust any output they get from search engines."

:mad::mad:

AplusWebMaster
2010-02-15, 23:04
FYI...

Various Olympics Related Dangerous Google Searches
- http://isc.sans.org/diary.html?storyid=8239
Last Updated: 2010-02-15 20:26:18 UTC - "We have received reports about the (sadly expected by now) search engine poisoning for various Olympics related terms. For example the name of the killed Georgian luge athlete is used to redirect unsuspecting users to fake anti virus and other malicious content. The redirect is browser dependent. Firefox is usually redirected to "qooglesearch .com" (note the 'q' as first letter instead of a 'g'). It is probably advisable to watch out for DNS requests for this domain to spot possible infections. Internet explorer is redirected to a wide range of different domains which apparently are picked at random..."

(Video at the URL above: 2:44)

:fear::mad:

AplusWebMaster
2010-02-19, 22:01
FYI...

Kneber = Zeus...
- http://www.symantec.com/connect/blogs/kneber-zeus
February 18th, 2010 - "... Symantec has also observed cybercriminals seeking to exploit computer users’ fears—spurred by all of the coverage that this threat is receiving* — by poisoning search engine results for keywords such as “Kneber Botnet Removal.” In fact, when analyzed by Symantec, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software..."
* http://forums.spybot.info/showpost.php?p=360384&postcount=209

:mad::mad:

AplusWebMaster
2010-02-22, 20:53
FYI...

Bloombox - Blackhat SEO poisoning
- http://securitylabs.websense.com/content/Alerts/3554.aspx?
02.22.2010 - " Websense... has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks. Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings. At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat*..."
* http://www.virustotal.com/analisis/d49fa46aee47bd5b69e9f0d716e1fa662eff7090a22e8fc0db03d5c12b859f9c-1266851237
File mes_fs9.exe received on 2010.02.22 15:07:17 (UTC)
Result: 4/41 (9.76%)

(Video at the Websense URL above.)

:fear::mad:

AplusWebMaster
2010-02-27, 02:27
FYI...

SEO poisoning galore - leads to rogue AV...
- http://sunbeltblog.blogspot.com/2010/02/seo-poisoning-not-in-well-but-its.html
February 26, 2010 - "... a “green” hot water heater that might be a good addition to his Earth-friendly home... did a Web search for “GE geo spring water heater.” What he found wasn’t Earth or anything else-friendly! SEO poisoning galore... It’s the SecurityTool rogue* that has been making the rounds since October..."
* http://rogueantispyware.blogspot.com/2009/10/securitytool.html

(Screenshots available at the Sunbeltblog URL above.)

:fear::mad:

AplusWebMaster
2010-02-27, 17:08
FYI...

Search Engine Poisoning: Chile Earthquake
- http://isc.sans.org/diary.html?storyid=8317
Last Updated: 2010-02-27 14:23:30 UTC - "You probably heard about the major earthquake in Chile happening last night. So have the malware writers engaged in search enigne poisoning. Search Google for "Chile Earthquake" and you will find a number of malware sites like "Qooglesearch .com" on the first page. As regular charities start to use these keywords, the poisoned results may be pushed back a bit and show up under other related keywords. As usual, let us know if you find any odd sites related to this. So far the only thing I am seeing is the fake AV / malware push via search engine poisoning."

- http://www.symantec.com/connect/blogs/massive-earthquake-chile-leads-surge-rogue-antivirus
February 27, 2010 17:31

:fear::mad:

AplusWebMaster
2010-03-04, 18:19
FYI...

SEO Poisoning sites use Flash for redirection
- http://www.f-secure.com/weblog/archives/00001899.html
March 4, 2010 - "... another SEO poisoning stint... Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior... It seems that the bad guys want the malicious URLs to be hidden inside the SWF..."
(Screenshots available at the URL above.)

- http://techblog.avira.com/2010/03/04/fileurl-extension-statistics-for-malware-urls-in-february-2010/en/
March 4, 2010

:fear::mad:

AplusWebMaster
2010-03-08, 14:22
FYI...

SEO poisoning on TV show
- http://isc.sans.org/diary.html?storyid=8383
Last Updated: 2010-03-08 17:08:18 UTC ...(Version: 2) - "... new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attack in the past*, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator"... The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware..."
* http://isc.sans.org/diary.html?storyid=8098

Hackers exploit Oscars to spread scareware attack
- http://www.sophos.com/blogs/gc/g/2010/03/08/hackers-exploit-oscar
March 8, 2010 - "... By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer..."

:fear::mad:

AplusWebMaster
2010-03-22, 20:32
FYI...

Icelandic Volcano Erupts, Fake Antivirus Spews Forth
- http://www.symantec.com/connect/blogs/icelandic-volcano-erupts-fake-antivirus-spews-forth
March 22, 2010 - "Yesterday there was a volcanic eruption in Iceland, near the Eyjafjallajoekull glacier, that has led the Icelandic authorities to declare a state of emergency in southern Iceland. People living nearby have been evacuated in case of glacial melt water flooding and the airspace near the now active volcano is effectively closed off. As you have probably already guessed, any event which commands a high level of public interest will be pounced on quickly by the makers of fake antivirus software in order to make a quick buck. This incident is no exception. Web searches for subjects relating to this eruption, such as "Iceland Volcanic Eruption" or "Iceland Volcano", will return results that may include dozens of hacked Web sites. It is not that difficult to spot the hacked sites with the fake antivirus redirection in the search results... A reasonable rule of thumb... look for domain names that suggest content unrelated to the news being searched for. For example, if you find a Web site whose domain name suggests it is about a painter or British castles, yet it appears in the search results for a story about the volcanic eruption, it is likely that the link is bogus and should be avoided... On the subject of hacked Web sites, it appears that the crew behind this campaign has a back catalogue of hacked sites they can call up and use at very short notice. On looking closer at the hacked sites, you will find that it looks like each of them has had a few hundred randomly named PHP pages added to them. Each of these pages redirects to a single server that is changed periodically... The sites have a series of fake scan pages, which it can display at random. The fake scan pages are designed to look like application windows in various versions of Microsoft Windows and include Windows XP and Windows Vista..."

(Screenshots available at the URL above.)

:fear::mad: