60 replies to this topic

[AplusWebMaster]

FYI...

Yahoo! sponsored search results lead to rogues
* http://preview.tinyurl.com/db25xj
03-10-2009 - Symantec Security Response Blog - "Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products). This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new .com and Antivirus-pro-download .com are returned in Yahoo!... The sponsored search result leads to antivirus-2009-new .com and antivirus-pro-download .com, where users are asked to make a payment to buy a membership in order to obtain the product.
>>> Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results...
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new .com.” For “antivirus-pro-download .com,” Yahoo returned around 10,000 results and Google returned around 1,650 results..."

(Screenshots available at the Symantec URL* above.)

Edited by AplusWebMaster, 12 March 2009 - 03:08 AM.

[AplusWebMaster]

FYI...

March Madness-related SEO poisoning leads To rogue AV
- http://securitylabs....lerts/3322.aspx
03.16.2009 - " Websense... has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.
With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the -first- result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a user clicks through these links (such as hxxp ://[removed].de/news/nit_bracket_2009 .html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

SEO campaign serving scareware
- http://ddanchev.blog...gn-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)

[AplusWebMaster]

FYI...

Swine Flu SEO...
- http://www.f-secure....s/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure....flu_domains.txt

[AplusWebMaster]

Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/sa...?site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/sa...?site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/sa...c?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/sa...?site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/sa...?site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/sa...e=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/sa...e=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/sa...?site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

[AplusWebMaster]

FYI...

Swine Flu SEO spreads malware
- http://securitylabs....lerts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Most Dangerous Search...
- http://preview.tinyurl.com/punx42
2009-05-27 Eweek.com - "... McAfee* researched more than 2,600 popular keywords, as defined by Google Zeitgeist and other sources. The words were ranked by maximum risk, which was determined by the maximum percentage of malicious sites a user would encounter on a single page of search results. According to the company, "screensavers" was found to be especially dangerous, garnering a maximum risk of 59.1 percent. The word "lyrics" came in second with a maximum risk factor of one in two. Surprisingly, searches using the word Viagra—a word that makes its way into more than a few spam e-mails—yielded the fewest risky sites, McAfee reported. Clicking on results that contain the word "free" brings a 21.3 percent chance of infecting your PC, according to McAfee's calculations. Those interested in telecommuting don't fare much better—results with the phrase "work from home" were found to be four times riskier than the average risk of all popular terms. Security vendors have noted the trend of hackers poisoning search engine results a number of times this year, most recently with the Gumblar attacks. In that case, victims were infected with malware that, when the victim performed a subsequent Google search, replaced the results with links leading to malicious pages..."
* http://newsroom.mcaf...article_id=3526
May 27, 2009

[AplusWebMaster]

FYI...

Blackhat SEO
- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

[AplusWebMaster]

FYI...

Google search abused - again
- http://blog.trendmic...feature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."

Edited by AplusWebMaster, 16 June 2009 - 10:59 AM.

[AplusWebMaster]

FYI...

Blackhat SEO quick to abuse death of celebrities
- http://blog.trendmic...-fawcett-death/
June 25, 2009 - "Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news... Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities... Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system."

- http://isc.sans.org/...ml?storyid=6646
Last Updated: 2009-06-26 01:19:23 UTC

[AplusWebMaster]

FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs....lerts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Free Online Movie Blogs... Trojan for Windows and Mac
- http://www.symantec....windows-and-mac
August 20, 2009 - "We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware. The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name... The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie... However, when a user clicks on the link it redirects to a blog hosted on blogspot.com... Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot .com has been abused by attackers with multiple, similarly styled posts... These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware. Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system... Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Labor Day - SEO Poisoning leads to Rogue Antivirus
- http://securitylabs....lerts/3471.aspx
09.04.2009 - "Websense... has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country. When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SEO poisoning - Ann Minch's YouTube video
- http://securitylabs....lerts/3482.aspx
09.24.2009 - " Websense... has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times. When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection*..."
* http://www.virustota...489f-1253761961
File 549170E10037D51580D70240C1E1C6001E217750.exe received on 2009.09.24 03:12:41 (UTC)
Result: 1/41 (2.44%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

iPhone Blackhat SEO Poisoning Leads to Total Security Rogue Antivirus
- http://securitylabs....Blogs/3483.aspx
09.28.2009 - "Websense... has detected that Google searches on terms related to iPhone SMS information are returning results that lead to rogue antivirus software. The Apple iPhone is one of the most popular smart phones on the market, and it's quite typical for users to google for information relating to SMS and other features of the iPhone. When Google is used to search for terms related to iPhone SMS information, malicious URLs are returned as high as the sixth result. When a user clicks an affected search-result link, they are redirected to a Web site advising that their machine is infected with malicious threats. It then proceeds to offer rogue or fake AV software... If a user clicks on a link controlled by attackers in this scheme, they are redirected through a series of sites via 302 redirects. The final landing page attempts a scareware technique of warning the user that they have been infected with malware and must clean their system. The user is then prompted to download fake antivirus software... The use of Blackhat SEO leading to Rogue AV will only increase in the upcoming year. This scare tactic has proved to be a very successful method of social-engineering users into installing software onto their computers and tricking them into paying for it..."

(Screenshots available at the URL above.)