Search Engine Poisoning - archive

[AplusWebMaster]

FYI...

Swine Flu SEO...
- http://www.f-secure.com/weblog/archives/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure.com/weblog/archi...lu_domains.txt

[AplusWebMaster]

Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/safebrowsing/diagn...site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/safebrowsing/diagn...site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/safebrowsing/diagnostic?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/safebrowsing/diagn...site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/safebrowsing/diagn...site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/safebrowsing/diagn...=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/safebrowsing/diagn...=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/safebrowsing/diagn...site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

[AplusWebMaster]

FYI...

Swine Flu SEO spreads malware
- http://securitylabs.websense.com/con...erts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/punx42
2009-05-27 Eweek.com - "... McAfee* researched more than 2,600 popular keywords, as defined by Google Zeitgeist and other sources. The words were ranked by maximum risk, which was determined by the maximum percentage of malicious sites a user would encounter on a single page of search results. According to the company, "screensavers" was found to be especially dangerous, garnering a maximum risk of 59.1 percent. The word "lyrics" came in second with a maximum risk factor of one in two. Surprisingly, searches using the word Viagra—a word that makes its way into more than a few spam e-mails—yielded the fewest risky sites, McAfee reported. Clicking on results that contain the word "free" brings a 21.3 percent chance of infecting your PC, according to McAfee's calculations. Those interested in telecommuting don't fare much better—results with the phrase "work from home" were found to be four times riskier than the average risk of all popular terms. Security vendors have noted the trend of hackers poisoning search engine results a number of times this year, most recently with the Gumblar attacks. In that case, victims were infected with malware that, when the victim performed a subsequent Google search, replaced the results with links leading to malicious pages..."
* http://newsroom.mcafee.com/article_d...rticle_id=3526
May 27, 2009

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

[AplusWebMaster]

FYI...

Google search abused - again
- http://blog.trendmicro.com/another-g...eature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."

[AplusWebMaster]

FYI...

Blackhat SEO quick to abuse death of celebrities
- http://blog.trendmicro.com/blackhat-...fawcett-death/
June 25, 2009 - "Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news... Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities... Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system."

- http://isc.sans.org/diary.html?storyid=6646
Last Updated: 2009-06-26 01:19:23 UTC

[AplusWebMaster]

FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs.websense.com/con...erts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Free Online Movie Blogs... Trojan for Windows and Mac
- http://www.symantec.com/connect/blog...indows-and-mac
August 20, 2009 - "We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware. The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name... The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie... However, when a user clicks on the link it redirects to a blog hosted on blogspot.com... Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot .com has been abused by attackers with multiple, similarly styled posts... These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware. Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system... Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malicious blogs on Blogspot...
- http://www.symantec.com/connect/blog...-koobface-gang
September 1, 2009 - "... We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques. The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones... The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post* by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs..."
* http://www.finjan.com/MCRCblog.aspx?EntryId=2317

(Screenshots available at the URL above.)