Search Engine Poisoning - archive

FYI...

- http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html
April 05, 2008 - "As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs)... This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related..."

(...because it works. Screenshots available at the URL above.)

:fear:
 
FYI...

- http://www.trustedsource.org/TS?do=threats&subdo=blog&id=31
April 7, 2008 - "The infamous “Storm worm” is back and now the spam messages contain links to the domain blogspot .com - Google’s Blogger service. The spammed subjects look like “Crazy in love with you“, “I Love Being In Love With You” or “Fallen for you“. The mail body contains just simple short sentences like “I’ll never stope loving you“, “With All My Love” or “Deeply in love with you“, followed by a link to Blogger... When a curious user will follow the lure, he will be presented a Blogger web site like above. An executable file named ‘withlove.exe‘ is linked and downloaded from another fast-fluxing domain... BTW: Storm is not the first malware which invades Blogger. Last year Zlob was also present on many Blogs, waiting to show the infamous missing codec error messages. So be aware..."

:fear:
 
FYI...

- http://preview.tinyurl.com/5hq4xc
16 Apr 2008 | SearchSecurity.com - "...The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site. In his analysis of the malware utility, ISC handler Bojan Zdrnja wrote* that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites..."
* http://isc.sans.org/diary.html?storyid=4294

:fear:
 
FYI...

- http://securitylabs.websense.com/content/Blogs/3068.aspx
4.17.2008 - "... research has uncovered a case where a museum's compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served -only- when the referrers for the request are certain high-profile image search sites... For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www .google.com) was used for the same image with the same URL, the result was the proper page, -without- the malicious redirect. So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
* images.google.com
* images.search.yahoo.com
* www .altavista.com/image/default
* search.live.com/images/
... another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered... it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content."

(Screenshots available at the URL above.)

:fear:
 
FYI...

Google Pages Porn Malware Invasion Continues Unabated
- http://sunbeltblog.blogspot.com/2008/04/google-pages-porn-malware-invasion.html
April 17, 2008 - "... Hundreds of thousands of pages, if not over a million. Examples (warning: graphic language)... And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”... file being pushed, setup.exe, is a trojan. Or, let's use the search term “McAfee download”... (I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.) These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links... Or how about keeping it simple, and just saying “free download”? Malware!... A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage..."

(Screenshots available at the URL above.)

:fear::fear:
 
FYI... (now, not "malware", just FRAUD)

- http://www.networkworld.com/news/2008/050208-google-adwords-fuel-new-url.html
05/02/2008 - "Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks. On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards... As obvious as this might sound, the unwary might easily be tricked by the convincing http ://adwords .google .com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to hxxp ://www .adwords .google .com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic. The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will ripped off. The attack has been publicized by security software company Trend Micro*, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days..."
* http://blog.trendmicro.com/google-adwords-phishing/
May 1, 2008

:fear::fear:
 
Google a top source of badware...

FYI...

- http://preview.tinyurl.com/5cvvdw
June 24, 2008 (Infoworld) - "...Stopbadware.org released data on "badware" Web sites on Tuesday, saying that Google was one of the top five networks responsible for hosting these dangerous Web sites.
The numbers show that China is now a top source of malicious Web sites -- China-based networks hosted more than half of the malicious Web sites tracked by the group -- but Google's appearance on the list is perhaps more remarkable...
A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related Web pages... In March, Google was the top badware network tracked by Stopbadware*..."

* http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008
Top Infected IP Addresses

> http://www.stopbadware.org/home/badwebs

:fear::spider:
 
A Million Search Strings to Get Infected

FYI...

A Million Search Strings to Get Infected
- http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
August 15, 2008 - "...We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites. Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage. How does this work? A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections... After all the fake notifications, the user will be asked to download AV2009Install_880488.exe. The other fake antivirus will lead users to hxxp ://scan. free-antispyware-scanner. com ... This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)
According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves). This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead. Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between. Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles."

(Screenshots available at the TrendMicro URL above.)

:fear::fear:
 
Continuing problem - malware advertised in Google Adwords

FYI...

Continuing problem - malware advertised in Google Adwords
- http://sunbeltblog.blogspot.com/2008/08/continuing-problem-of-malware-being.html
August 23, 2008 - "Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008... An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2008/08/i-can-resist-irony.html
August 23, 2008 (Yet another Screenshot)

:fear::mad:
 
More Google searches resulting in rogue AV

FYI...

More Google searches resulting in rogue AV
- http://blog.trendmicro.com/more-google-searches-resulting-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www .google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

:fear:
 
Bogus ‘HouseCall’ Search Results Lead to Adware

FYI...

- http://blog.trendmicro.com/bogus-housecall-search-results-lead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

:fear::mad:
 
FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustotal.com/analisis/5360054b5e2f7c54a81de81583e36fa0

:fear::mad::fear:
 
FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages... it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

:fear::fear::fear:
 
Google Adwords phish...

FYI...

- http://sunbeltblog.blogspot.com/2009/01/new-google-adwords-phishing-run.html
January 18, 2009 - "Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Burkina Faso and EU (.be and .eu)... All fast flux... And all appear to have been registered with Tucows..."

(Screenshots available at the URL above.)

:fear::mad:
 
Google Video - SEO poisoning...

FYI...

- http://blog.trendmicro.com/google-video-searches-being-poisoned/
Feb. 1, 2009 - "... new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations. Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.
Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm - file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy - spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install. What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings. A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.
Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists..."

:fear:
 
Yahoo! sponsored search results lead to rogues

FYI...

Yahoo! sponsored search results lead to rogues
* http://preview.tinyurl.com/db25xj
03-10-2009 06:25PM - Symantec Security Response Blog - "Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products). This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new .com and Antivirus-pro-download .com are returned in Yahoo!... The sponsored search result leads to antivirus-2009-new .com and antivirus-pro-download .com, where users are asked to make a payment to buy a membership in order to obtain the product.
>>> Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results...
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new .com.” For “antivirus-pro-download .com,” Yahoo returned around 10,000 results and Google returned around 1,650 results..."

(Screenshots available at the Symantec URL* above.)

:fear::mad::fear:
 
Last edited:
SEO poisoning - March Madness-related search leads to rogue AV...

FYI...

- http://securitylabs.websense.com/content/Alerts/3322.aspx
03.16.2009 - " Websense... has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.
With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the -first- result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a user clicks through these links (such as hxxp ://[removed].de/news/nit_bracket_2009 .html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner..."

(Screenshots available at the Websense URL above.)

:fear::mad:
 
Twitter worm Google searches lead to malware

FYI...

Twitter worm Google searches lead to malware
- http://www.f-secure.com/weblog/archives/00001657.html
April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results."

(Screenshots available at the URL above.)

:sad::fear:
 
SEO campaign serving scareware...

FYI...

SEO campaign serving scareware
- http://ddanchev.blogspot.com/2009/04/massive-blackhat-seo-campaign-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)

:fear::mad::fear:
 
You must log in or register to reply here.
Back
Top