Culture Jamming

[Bogus ‘HouseCall’ Search Results Lead to Adware]

FYI...

Bogus ‘HouseCall’ Search Results Lead to Adware
- http://blog.trendmicro.com/bogus-housecall-search-results-lead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

 

[Fake antivirus peddlers... using redirects]

FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustotal.com/analisis/5360054b5e2f7c54a81de81583e36fa0

 

[here]

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages... it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

 

[phish]

FYI...

- http://sunbeltblog.blogspot.com/2009/01/new-google-adwords-phishing-run.html
January 18, 2009 - "Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Burkina Faso and EU (.be and .eu)... All fast flux... And all appear to have been registered with Tucows..."

(Screenshots available at the URL above.)

 

[SEO poisoning]

FYI...

- http://blog.trendmicro.com/google-video-searches-being-poisoned/
Feb. 1, 2009 - "... new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations. Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.
Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm - file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy - spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install. What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings. A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.
Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists..."

 

[SEO campaign serving scareware]

FYI...

SEO campaign serving scareware
- http://ddanchev.blogspot.com/2009/04/massive-blackhat-seo-campaign-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)

 

[Swine Flu SEO]

FYI...

Swine Flu SEO...
- http://www.f-secure.com/weblog/archives/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure.com/weblog/archives/swineflu_domains.txt

 

[Warning]

Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/safebrowsing/diagnostic?site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/safebrowsing/diagnostic?site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/safebrowsing/diagnostic?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/safebrowsing/diagnostic?site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/safebrowsing/diagnostic?site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/safebrowsing/diagnostic?site=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/safebrowsing/diagnostic?site=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/safebrowsing/diagnostic?site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

 

[Swine Flu SEO spreads malware]

FYI...

Swine Flu SEO spreads malware
- http://securitylabs.websense.com/content/Alerts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

 

[codec.exe]

FYI...

- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website.  It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
 8,930 links targeting "Microsoft" (Project Natal)
 3,380 links targeting "E3"
 2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
 2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

 

[More Blackhat SEO "scareware" campaigns]

FYI...

More Blackhat SEO "scareware" campaigns
- http://ddanchev.blogspot.com/2009/06/fake-web-hosting-provider-front-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -  CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting  provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

(Screenshots and more detail available at the URL above.)

 

[Google search abused - again]

FYI...

Google search abused - again
- http://blog.trendmicro.com/another-google-search-feature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."

 

[Rumors]

FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs.websense.com/content/Alerts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

 

[Halloween rogue AV]

FYI...

Halloween rogue AV
- http://www.eset.com/threat-center/blog/2009/10/29/halloween-theres-something-scary-in-your-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmicro.com/this-halloween-enjoy-the-treats-but-be-wary-of-online-tricks/
Oct. 30, 2009

 

[Halloween SEO poisoning]

FYI...

Halloween SEO poisoning...
- http://www.eweek.com/c/a/Security/Hackers-Target-Halloween-Search-Terms-569624/
2010-10-30 - "Attackers are targeting people searching for last-minute ideas on Halloween costumes... CyberDefender identified a fake anti-virus Trojan downloader infecting pages that come up when searching for Halloween costumes. When users land on these infected pages, the fake anti-virus installer hijacks the user’s Web browser and initiates a malicious process, CyberDefender said. The infected PC becomes sluggish and slow-performing while exposing personal data, according to the company. One form, identified by Panda Labs*, displays a fake video player page and asks the user to download a codec in order to play the video. Popular search terms reflect what users are interested in at that time, making it a lucrative target. Criminals often create pages that are highly search engine optimized, with keywords reflecting currently popular search terms... Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms..."

*  http://pandalabs.pandasecurity.com/malware-spreading-via-halloween-related-keywords/
"... top 5 most targeted phrases:
   1. Halloween costumes
   2. Halloween decorations
   3. Halloween ideas
   4. Adult Halloween costumes
   5. Free pumpkin pattern ..."