Search Engine Poisoning - archive

Swine Flu SEO...

FYI...

Swine Flu SEO...
- http://www.f-secure.com/weblog/archives/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure.com/weblog/archives/swineflu_domains.txt

:fear::sad:
 
Google safe browsing advisories...

Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/safebrowsing/diagnostic?site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/safebrowsing/diagnostic?site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/safebrowsing/diagnostic?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/safebrowsing/diagnostic?site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/safebrowsing/diagnostic?site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/safebrowsing/diagnostic?site=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/safebrowsing/diagnostic?site=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/safebrowsing/diagnostic?site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

:fear::spider::fear:
 
Swine Flu SEO spreads malware

FYI...

Swine Flu SEO spreads malware
- http://securitylabs.websense.com/content/Alerts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

:fear::fear:
 
Most Dangerous Search...

FYI...

- http://preview.tinyurl.com/punx42
2009-05-27 Eweek.com - "... McAfee* researched more than 2,600 popular keywords, as defined by Google Zeitgeist and other sources. The words were ranked by maximum risk, which was determined by the maximum percentage of malicious sites a user would encounter on a single page of search results. According to the company, "screensavers" was found to be especially dangerous, garnering a maximum risk of 59.1 percent. The word "lyrics" came in second with a maximum risk factor of one in two. Surprisingly, searches using the word Viagra—a word that makes its way into more than a few spam e-mails—yielded the fewest risky sites, McAfee reported. Clicking on results that contain the word "free" brings a 21.3 percent chance of infecting your PC, according to McAfee's calculations. Those interested in telecommuting don't fare much better—results with the phrase "work from home" were found to be four times riskier than the average risk of all popular terms. Security vendors have noted the trend of hackers poisoning search engine results a number of times this year, most recently with the Gumblar attacks. In that case, victims were infected with malware that, when the victim performed a subsequent Google search, replaced the results with links leading to malicious pages..."
* http://newsroom.mcafee.com/article_display.cfm?article_id=3526
May 27, 2009

:fear::fear:
 
Blackhat SEO

FYI...

- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

:fear::mad:
 
Google search abused - again

FYI...

Google search abused - again
- http://blog.trendmicro.com/another-google-search-feature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."

:fear::mad:
 
Blackhat SEO quick to abuse death of celebrities

FYI...

Blackhat SEO quick to abuse death of celebrities
- http://blog.trendmicro.com/blackhat-seo-quick-to-abuse-farrah-fawcett-death/
June 25, 2009 - "Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news... Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities... Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system."

- http://isc.sans.org/diary.html?storyid=6646
Last Updated: 2009-06-26 01:19:23 UTC

:fear::fear:
 
Rumor poisons SEO...

FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs.websense.com/content/Alerts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

:fear::mad:
 
Free Online Movie Blogs... Trojan for Windows and Mac

FYI...

Free Online Movie Blogs... Trojan for Windows and Mac
- http://www.symantec.com/connect/blogs/free-online-movie-blogs-serving-trojan-windows-and-mac
August 20, 2009 - "We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware. The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name... The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie... However, when a user clicks on the link it redirects to a blog hosted on blogspot.com... Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot .com has been abused by attackers with multiple, similarly styled posts... These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware. Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system... Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites..."

(Screenshots available at the URL above.)

:fear::mad::fear:
 
Malicious blogs on Blogspot...

FYI...

Malicious blogs on Blogspot...
- http://www.symantec.com/connect/blogs/busy-days-koobface-gang
September 1, 2009 - "... We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques. The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones... The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post* by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs..."
* http://www.finjan.com/MCRCblog.aspx?EntryId=2317

(Screenshots available at the URL above.)

:fear::mad:
 
Labor Day - SEO Poisoning leads to Rogue Antivirus

FYI...

Labor Day - SEO Poisoning leads to Rogue Antivirus
- http://securitylabs.websense.com/content/Alerts/3471.aspx
09.04.2009 - "Websense... has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country. When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way..."

(Screenshots available at the URL above.)

:fear::mad::fear:
 
SEO poisoning - Ann Minch's YouTube video

FYI...

SEO poisoning - Ann Minch's YouTube video
- http://securitylabs.websense.com/content/Alerts/3482.aspx
09.24.2009 - " Websense... has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times. When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection*..."
* http://www.virustotal.com/analisis/...9154c8b408a8fdc37eb7520b04d766489f-1253761961
File 549170E10037D51580D70240C1E1C6001E217750.exe received on 2009.09.24 03:12:41 (UTC)
Result: 1/41 (2.44%)

(Screenshots available at the Websense URL above.)

:mad:
 
iPhone SEO poisoning leads to Rogue A/V

FYI...

iPhone Blackhat SEO Poisoning Leads to Total Security Rogue Antivirus
- http://securitylabs.websense.com/content/Blogs/3483.aspx
09.28.2009 - "Websense... has detected that Google searches on terms related to iPhone SMS information are returning results that lead to rogue antivirus software. The Apple iPhone is one of the most popular smart phones on the market, and it's quite typical for users to google for information relating to SMS and other features of the iPhone. When Google is used to search for terms related to iPhone SMS information, malicious URLs are returned as high as the sixth result. When a user clicks an affected search-result link, they are redirected to a Web site advising that their machine is infected with malicious threats. It then proceeds to offer rogue or fake AV software... If a user clicks on a link controlled by attackers in this scheme, they are redirected through a series of sites via 302 redirects. The final landing page attempts a scareware technique of warning the user that they have been infected with malware and must clean their system. The user is then prompted to download fake antivirus software... The use of Blackhat SEO leading to Rogue AV will only increase in the upcoming year. This scare tactic has proved to be a very successful method of social-engineering users into installing software onto their computers and tricking them into paying for it..."

(Screenshots available at the URL above.)

:fear::fear:
 
SEO Poisoning - MS Security Essentials

FYI...

SEO Poisoning - MS Security Essentials ...
- http://securitylabs.websense.com/content/Alerts/3485.aspx
09.30.2009 - " Websense... has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV. Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association. When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31. An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc). If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site to check internet connectivity. Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted). Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today..."

(Screenshots available at the Websense URL above.)

:mad::spider::mad:
 
SEO Poisoning - Google Wave

FYI...

SEO Poisoning - Google Wave
- http://securitylabs.websense.com/content/Alerts/3486.aspx
09.30.2009 - " Websense... has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today. There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results...
Malware sample 1:
http://www.virustotal.com/analisis/...665fccc3d97b6111a31de2ffb41e4eb5fe-1254334125
File Soft_88s2.exe received on 2009.09.30 18:08:45 (UTC)
Result: 6/41 (14.63%)
Malware sample 2:
http://www.virustotal.com/analisis/...665fccc3d97b6111a31de2ffb41e4eb5fe-1254330166
File Soft_207.exe received on 2009.09.30 17:02:46 (UTC)
Result: 7/41 (17.07%)
Malware sample 3:
http://www.virustotal.com/analisis/...09a0069aca3fa3680a06aed5ae14efa76d-1254330677
File setup_build7_201.exe received on 2009.09.30 17:11:17 (UTC)
Result: 4/41 (9.76%)
Malware sample 4:
http://www.virustotal.com/analisis/...cd39fc2d7265ac30572b5c811c7527ab34-1254331243
File setup.exe received on 2009.09.30 17:20:43 (UTC)
Result: 9/41 (21.95%) ..."

(Screenshots showing Google Wave-related Google search results and Rogue AV at the Websense URL above.)

:fear::fear:
 
SEO poisoning - Samoa Earthquake News leads to Rogue AV

FYI...

SEO poisoning - Samoa Earthquake News leads to Rogue AV
- http://www.f-secure.com/weblog/archives/00001779.html
September 30, 2009 - "It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii. Readers looking for news articles on the earthquake may come across this page in the Google search results... On clicking the link, the user is redirected to a series of sites via 302 redirects... The final landing page warns the user that their "system is infected"... The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software. As usual, be careful when browsing.,,"

(Screenshots available at the URL above.)

:fear::fear:
 
Halloween rogue AV

FYI...

Halloween rogue AV
- http://www.eset.com/threat-center/b...-theres-something-scary-in-your-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmicro.com/this-halloween-enjoy-the-treats-but-be-wary-of-online-tricks/
Oct. 30, 2009

:fear::mad:
 
Last edited:
More FAKE AV - SEO poisoning

FYI...

More FAKE AV - SEO poisoning
- http://blog.trendmicro.com/meteor-shower-and-new-moon-lead-to-fakeav/
Nov. 18, 2009 - "TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET... FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches..."

(Screenshots available at the URL above.)

:mad:
 
Redirects to scareware - Thousands of web sites compromised

FYI...

Redirects to scareware - Thousands of web sites compromised
- http://blogs.zdnet.com/security/?p=4947
November 17, 2009 - "Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe)*, commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js** (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu... the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet..."
* http://www.virustotal.com/analisis/...d1ea14e563bb12970c9540bc0af808687e-1258481993
File nnovv_Inst_312s2.exe received on 2009.11.17 18:19:53 (UTC)
Result: 1/41 (2.44%)
** http://www.virustotal.com/analisis/...f36f4dbda6cc605d2e1191613b87a863be-1258479383
File css.js received on 2009.11.17 17:36:23 (UTC)
Result: 7/41 (17.07%)

- http://blog.trendmicro.com/fake-blogs-lead-to-fakeav/
Nov. 19, 2009

- http://blogs.zdnet.com/security/?p=4297&page=2
"... the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered as a fear mongering tactic..."

:fear::mad::fear:
 
Last edited:
Brittany Murphy's death - SEO Poisoning

FYI...

Brittany Murphy's death - SEO Poisoning
- http://securitylabs.websense.com/content/Alerts/3514.aspx
12.21.2009 - "Websense... has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe*, and at the moment it seems they haven't attracted much attention from AV companies..."
* http://www.virustotal.com/analisis/...185c854d4143b4acd4286444a320f15aee-1261366024
File install.exe received on 2009.12.21 03:27:04 (UTC)
Result: 10/41 (24.39%)

(Screenshots available at the Websense URL above.)

- http://www.f-secure.com/weblog/archives/00001842.html
December 21, 2009

:fear::mad:
 
Last edited:
You must log in or register to reply here.
Back
Top