Search Engine Poisoning - archive

AplusWebMaster

New member
Advisor Team
FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=116
Mar 26 2007 ~ "Search Engine Poisoning is a topic that we have have researched at some length. We discussed the topic briefly in an October blog post: Search Engine Typosquatting*. Our previous research focused on malicious URLs in search engine results from misspelled search terms; it was far less common to discover malicious content for legitimate search terms. In early March, a report from Sunbelt** demonstrated Microsoft Windows Live Search™ Italy returning exploit sites for extremely common search terms. Doing some additional research of our own, we performed searches for the names of financial companies, well-known banks, and lenders. The results were alarming. Many of the URLs in the search results linked to malicious sites capable of silently compromising the visitor..."

(More detail and screenshots at the URL above.)


* http://www.websense.com/securitylabs/blog/blog.php?BlogID=88

** http://sunbeltblog.blogspot.com/2007/03/malware-authors-take-over-live-searches.html

:fear:
 
McAfee report - State of Search Engine Safety

FYI...

- http://www.siteadvisor.com/studies/search_safety_may2007
June 4, 2007 ~ "...Key Findings
* Overall, 4.0% of search results link to risky Web sites, which marks an improvement from 5.0% in May 2006. Dangerous sites are found in search results of all 5 of the top US search engines (representing 93% of all search engine use).
* The improvement in search engine safety is primarily due to safer sponsored results. The percentage of risky sites dropped from 8.5% in May 2006 to 6.9% in May 2007. However, sponsored results still contain 2.4 times as many risky sites as organic results.
* AOL returns the safest results: 2.9 % of results rated red1 or yellow2 by McAfee SiteAdvisor. At 5.4%, Yahoo! returns the most results rated red or yellow.
* Google, AOL, and Ask have become safer since May 2006, with Ask exhibiting the greatest improvement. The safety of search results on Yahoo! and MSN has declined..."

(Graphics available at the URL above.)


.
 
Google search malware attack in progress

FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html
----------------------

Update:
- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

:fear::fear:
 
Last edited:
SEO poisoning targeted at Google

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

:devil:
 
FYI...

More Google poisoning on the way?
- http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html

:sad:
 
FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

- http://msmvps.com/blogs/spywaresucks/archive/2007/11/30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

:fear:
 
FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007/12/malware-exploiting-death-of-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

:fear:
 
FYI...

- http://www.reuters.com/article/technologyNews/idUSL191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html

:fear:
 
Last edited:
FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

:fear:
 
FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmicro.com/bhutto-assassination-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

:fear:
 
FYI...

- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmicro.com/compromised-sites-heath-it-up/

(Screenshots available at both URLs above.)

I.E: http://www.cnet.com/8301-13554_1-9856450-33.html?tag=head
"...A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer..."

:fear:
 
Last edited:
FYI...

Search Engine Spam increasing
- http://www.messagelabs.com/intelligence.aspx
MessageLabs Intelligence (PDF report): January 2008 - "...much of this type of spam in recent weeks has also revealed a significant hike in the proportion of spam abusing search engine redirects. Typically Google and Yahoo search engines have been used in these spams. Search engine spam accounts for 17% of spam in January and has been in circulation for only a few weeks. Search engine spam is a technique that allows the spammer to include a link constructed from a search engine query in an email message. When followed, the link will resolve in the spammer’s forged web site. This means that the spammers can send messages without directly mentioning the spam website, which makes it difficult for traditional anti-spam products to detect the malicious link. While they may recognize known spam sites, they cannot reasonably block links to legitimate search engine sites. eBay recently instituted some changes to circumvent this type of attack method... the link in the email passes some special parameters to the Google search engine, using the inURL: keyword (which focuses the search only on the domain listed), and the BtnI= keyword (typically used by the “I’m feeling Lucky” button on Google)..."

:fear:
 
Google blog used to spread malware

FYI...

- http://www.networkworld.com/news/2008/013108-attacker-google-blog.html
01/31/08 - "A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert. To trick readers looking for information related to legitimate security products, the blog - which has been spotted working under the name "Brittany" - has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, says Ofer Elzam, director of product management in Aladdin's eSafe division... Google states in its usage policy that "Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you"..."

:fear:
 
FYI...

All Your iFrame Are Point to Us (from the Google Anti-Malware Team)
- http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
February 11, 2008 - "...In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing... Some malware distribution sites had as many as 21,000 regular web sites pointing to them. We also found that the majority of malware was hosted on web servers located in China. Interestingly, Chinese malware distribution sites are mostly pointed to by Chinese web servers. We hope that an analysis such as this will help us to better understand the malware problem in the future and allow us to protect users all over the Internet from malicious web sites as best as we can. One thing is clear - we have a lot of work ahead of us."

:fear:
 
FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
"On March 4, 2008 reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script injection issue which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site which attempts to install a rogue ActiveX control. On March 6, 2008 the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com and MySimon.com are also affected by a similar issue.
More CNET Sites Under IFRAME Attack - http://ddanchev.blogspot.com/2008_03_01_archive.html
Fraudsters piggyback on search engines - http://www.securityfocus.com/brief/695 "

:fear::fear:
 
Google Ads abused to serve Spam and Malware

FYI...

Google Ads abused to serve Spam and Malware
- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs) - "Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites... At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end. One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service... Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these -redirects- working for known bad file types or for spam and malware sites."

:fear:
 
Massive IFRAME SEO Poisoning Attack Continuing...

Massive IFRAME SEO Poisoning Attack Continuing...

- http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
March 28, 2008 - "Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of. What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves... The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants: USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu... For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours..."

- http://www.securityfocus.com/blogs/708
2008-03-28 - "...Danchev... published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter (block):
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well..."

(Please do NOT visit any of the IPs in the commentary - they are to be considered dangerous.)

:fear::mad::fear:
 
Last edited:
FYI...

- http://www.theregister.co.uk/2008/03/31/compromised_site_survey/
31 March 2008 - "...ScanSafe found the amount of time a website hosting malicious code remains live increased during the second half of 2007. Malware on infected sites remained live for an average of 29 days in 2H07, up 62 per cent from the first half of the year. Forms of malware undetected by scanner packages have an even a longer shelf life once they compromise a site, persisting an average of 61 days in the second half of 2007."

:fear:
 
FYI...

- http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
31 Mar 2008 - "A malware attack targeting search engine results is continuing to haunt several high-profile sites. The attack uses the common cross-site scripting practice of embedding pages with small IFrame tags which redirect the user to a malicious page on a third-party site... The hackers have compromised search result pages, using search engine optimisation techniques to hijack search results and send users to sites which host malicious downloads. Among the sites said to be compromised are major news outlets ABC, USAToday and Forbes, and retailers Wal-Mart, Target and Sears... Administrators can protect against the attack by plugging the input validation vulnerabilities used to seed the malicious code within the pages..."

SANS NewsBites Vol. 10 Num. 26
- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=26#sID307
4/1/2008 - "...you can make the world a better place by blocking four IP addresses,:
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85 ..."

(Once again, please do NOT visit those IPs, just BLOCK them.)

:fear::spider:
 
Last edited:
Back
Top