Search Engine Poisoning - archive

[AplusWebMaster]

FYI...

More Google searches resulting in rogue AV
- http://blog.trendmicro.com/more-goog...g-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www .google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmicro.com/bogus-hou...ead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blogspot.com/2008/1...fect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustotal.com/analisis/5...1de81583e36fa0

[AplusWebMaster]

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages... it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

[AplusWebMaster]

FYI...

- http://sunbeltblog.blogspot.com/2009...shing-run.html
January 18, 2009 - "Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Burkina Faso and EU (.be and .eu)... All fast flux... And all appear to have been registered with Tucows..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmicro.com/google-vi...eing-poisoned/
Feb. 1, 2009 - "... new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations. Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.
Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm - file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy - spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install. What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings. A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.
Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists..."

[AplusWebMaster]

FYI...

Yahoo! sponsored search results lead to rogues
* http://preview.tinyurl.com/db25xj
03-10-2009 06:25PM - Symantec Security Response Blog - "Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products). This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new .com and Antivirus-pro-download .com are returned in Yahoo!... The sponsored search result leads to antivirus-2009-new .com and antivirus-pro-download .com, where users are asked to make a payment to buy a membership in order to obtain the product.
>>> Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results...
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new .com.” For “antivirus-pro-download .com,” Yahoo returned around 10,000 results and Google returned around 1,650 results..."

(Screenshots available at the Symantec URL* above.)

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3322.aspx
03.16.2009 - " Websense... has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.
With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the -first- result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a user clicks through these links (such as hxxp ://[removed].de/news/nit_bracket_2009 .html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Twitter worm Google searches lead to malware
- http://www.f-secure.com/weblog/archives/00001657.html
April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SEO campaign serving scareware
- http://ddanchev.blogspot.com/2009/04...n-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)