Jump to content


Photo

Search Engine poisoning...


  • Please log in to reply
59 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 March 2009 - 02:54 AM

FYI...

Yahoo! sponsored search results lead to rogues
* http://preview.tinyurl.com/db25xj
03-10-2009 - Symantec Security Response Blog - "Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products). This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new .com and Antivirus-pro-download .com are returned in Yahoo!... The sponsored search result leads to antivirus-2009-new .com and antivirus-pro-download .com, where users are asked to make a payment to buy a membership in order to obtain the product.
>>> Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results...
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new .com.” For “antivirus-pro-download .com,” Yahoo returned around 10,000 results and Google returned around 1,650 results..."

(Screenshots available at the Symantec URL* above.)

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 12 March 2009 - 03:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 March 2009 - 12:54 PM

FYI...

March Madness-related SEO poisoning leads To rogue AV
- http://securitylabs....lerts/3322.aspx
03.16.2009 - " Websense... has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.
With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the -first- result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs. If a user clicks through these links (such as hxxp ://[removed].de/news/nit_bracket_2009 .html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner..."

(Screenshots available at the Websense URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 April 2009 - 05:41 PM

FYI...

SEO campaign serving scareware
- http://ddanchev.blog...gn-serving.html
April 22, 2009 - "... yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software. Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within... It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? A Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic... Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service..."

(More detail available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 April 2009 - 07:57 AM

FYI...

Swine Flu SEO...
- http://www.f-secure....s/00001668.html
April 27, 2009 - "Swine Flu is in the news worldwide and search trends are spiking in North America... We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend*... No malware sites - yet. But plenty of them are opportunistic... Click on the "Add to Cart" button at noswineflu .com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95..."
* http://www.f-secure....flu_domains.txt

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 May 2009 - 03:18 PM

Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like.

Advisories provided by Google:

18dd.net- http://google.com/sa...?site=18dd.net/
"... this site has hosted malicious software over the past 90 days. It infected 2928 domain(s)..."
3322.org- http://google.com/sa...?site=3322.org/
"... Of the 1259 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 24233 scripting exploit(s), 2443 exploit(s), 1095 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 25 domain(s)..."
5252.ws- http://google.com/sa...c?site=5252.ws/
"...this site has hosted malicious software over the past 90 days. It infected 126 domain(s)..."
8800.org - http://google.com/sa...?site=8800.org/
"... Of the 1631 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-02, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 296 exploit(s), 140 scripting exploit(s), 100 trojan(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 7 domain(s)..."
8866.org - http://google.com/sa...?site=8866.org/
"...Of the 572 pages we tested on the site over the past 90 days, 97 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-03.
Malicious software includes 2195 scripting exploit(s), 848 exploit(s), 845 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 28 domain(s)..."
ifastnet.com - http://google.com/sa...e=ifastnet.com/
"... Of the 2956 pages we tested on the site over the past 90 days, 177 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-03, and the last time suspicious content was found on this site was on 2009-05-02.
Malicious software includes 163 trojan(s), 108 scripting exploit(s), 15 adware(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 60 domain(s)..."
xprmn4u.info - http://google.com/sa...e=xprmn4u.info/
"... Malicious software includes 144 scripting exploit(s), 65 trojan(s). This site was hosted on 1 network(s)..."
yl18.net - http://google.com/sa...?site=yl18.net/
"... this site has hosted malicious software over the past 90 days. It infected 120 domain(s)..."

Note: This is NOT a complete list, but you should get the idea...

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 May 2009 - 05:02 AM

FYI...

Swine Flu SEO spreads malware
- http://securitylabs....lerts/3393.aspx
05.08.2009 - "... most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware. We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google. The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 May 2009 - 04:00 PM

FYI...

Most Dangerous Search...
- http://preview.tinyurl.com/punx42
2009-05-27 Eweek.com - "... McAfee* researched more than 2,600 popular keywords, as defined by Google Zeitgeist and other sources. The words were ranked by maximum risk, which was determined by the maximum percentage of malicious sites a user would encounter on a single page of search results. According to the company, "screensavers" was found to be especially dangerous, garnering a maximum risk of 59.1 percent. The word "lyrics" came in second with a maximum risk factor of one in two. Surprisingly, searches using the word Viagra—a word that makes its way into more than a few spam e-mails—yielded the fewest risky sites, McAfee reported. Clicking on results that contain the word "free" brings a 21.3 percent chance of infecting your PC, according to McAfee's calculations. Those interested in telecommuting don't fare much better—results with the phrase "work from home" were found to be four times riskier than the average risk of all popular terms. Security vendors have noted the trend of hackers poisoning search engine results a number of times this year, most recently with the Gumblar attacks. In that case, victims were infected with malware that, when the victim performed a subsequent Google search, replaced the results with links leading to malicious pages..."
* http://newsroom.mcaf...article_id=3526
May 27, 2009

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 June 2009 - 07:19 PM

FYI...

Blackhat SEO
- http://preview.tinyurl.com/qn3f63
Pandalabs - UPDATE - 6/04/09 - "16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file. Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:
Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”
The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.
Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories..."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 June 2009 - 10:57 AM

FYI...

Google search abused - again
- http://blog.trendmic...feature-abused/
June 15, 2009 - "A recent set of SPAM emails were seen abusing yet another Google search feature... The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site... What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link... It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns..." (Screenshots available at the URL above.)

"I don't feel so lucky anymore..."


:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 June 2009 - 05:41 AM

FYI...

Blackhat SEO quick to abuse death of celebrities
- http://blog.trendmic...-fawcett-death/
June 25, 2009 - "Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news... Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities... Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system."

- http://isc.sans.org/...ml?storyid=6646
Last Updated: 2009-06-26 01:19:23 UTC

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 July 2009 - 02:28 PM

FYI...

Rumors of Emma Watson's death leading to Rogue AV sites
- http://securitylabs....lerts/3450.aspx
07.27.2009 - "Websense... has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter. The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google..."

(Screenshot available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 August 2009 - 06:10 AM

FYI...

Free Online Movie Blogs... Trojan for Windows and Mac
- http://www.symantec....windows-and-mac
August 20, 2009 - "We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware. The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name... The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie... However, when a user clicks on the link it redirects to a blog hosted on blogspot.com... Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot .com has been abused by attackers with multiple, similarly styled posts... These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware. Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system... Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites..."

(Screenshots available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 September 2009 - 04:12 AM

FYI...

Labor Day - SEO Poisoning leads to Rogue Antivirus
- http://securitylabs....lerts/3471.aspx
09.04.2009 - "Websense... has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country. When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 September 2009 - 06:26 AM

FYI...

SEO poisoning - Ann Minch's YouTube video
- http://securitylabs....lerts/3482.aspx
09.24.2009 - " Websense... has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times. When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection*..."
* http://www.virustota...489f-1253761961
File 549170E10037D51580D70240C1E1C6001E217750.exe received on 2009.09.24 03:12:41 (UTC)
Result: 1/41 (2.44%)

(Screenshots available at the Websense URL above.)

:ph34r: :hmmm: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2009 - 03:32 PM

FYI...

iPhone Blackhat SEO Poisoning Leads to Total Security Rogue Antivirus
- http://securitylabs....Blogs/3483.aspx
09.28.2009 - "Websense... has detected that Google searches on terms related to iPhone SMS information are returning results that lead to rogue antivirus software. The Apple iPhone is one of the most popular smart phones on the market, and it's quite typical for users to google for information relating to SMS and other features of the iPhone. When Google is used to search for terms related to iPhone SMS information, malicious URLs are returned as high as the sixth result. When a user clicks an affected search-result link, they are redirected to a Web site advising that their machine is infected with malicious threats. It then proceeds to offer rogue or fake AV software... If a user clicks on a link controlled by attackers in this scheme, they are redirected through a series of sites via 302 redirects. The final landing page attempts a scareware technique of warning the user that they have been infected with malware and must clean their system. The user is then prompted to download fake antivirus software... The use of Blackhat SEO leading to Rogue AV will only increase in the upcoming year. This scare tactic has proved to be a very successful method of social-engineering users into installing software onto their computers and tricking them into paying for it..."

(Screenshots available at the URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 September 2009 - 08:57 AM

FYI...

SEO Poisoning - MS Security Essentials ...
- http://securitylabs....lerts/3485.aspx
09.30.2009 - " Websense... has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV. Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association. When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31. An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc). If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site to check internet connectivity. Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted). Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today..."

(Screenshots available at the Websense URL above.)

:grrr: :ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 September 2009 - 02:03 PM

FYI...

SEO Poisoning - Google Wave
- http://securitylabs....lerts/3486.aspx
09.30.2009 - " Websense... has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today. There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results...
Malware sample 1:
http://www.virustota...b5fe-1254334125
File Soft_88s2.exe received on 2009.09.30 18:08:45 (UTC)
Result: 6/41 (14.63%)
Malware sample 2:
http://www.virustota...b5fe-1254330166
File Soft_207.exe received on 2009.09.30 17:02:46 (UTC)
Result: 7/41 (17.07%)
Malware sample 3:
http://www.virustota...a76d-1254330677
File setup_build7_201.exe received on 2009.09.30 17:11:17 (UTC)
Result: 4/41 (9.76%)
Malware sample 4:
http://www.virustota...ab34-1254331243
File setup.exe received on 2009.09.30 17:20:43 (UTC)
Result: 9/41 (21.95%) ..."

(Screenshots showing Google Wave-related Google search results and Rogue AV at the Websense URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 October 2009 - 05:44 AM

FYI...

SEO poisoning - Samoa Earthquake News leads to Rogue AV
- http://www.f-secure....s/00001779.html
September 30, 2009 - "It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii. Readers looking for news articles on the earthquake may come across this page in the Google search results... On clicking the link, the user is redirected to a series of sites via 302 redirects... The final landing page warns the user that their "system is infected"... The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software. As usual, be careful when browsing.,,"

(Screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 October 2009 - 01:54 PM

FYI...

Halloween rogue AV
- http://www.eset.com/...r-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmic...-online-tricks/
Oct. 30, 2009

:grrr: :ph34r:

Edited by apluswebmaster, 30 October 2009 - 05:23 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 November 2009 - 07:11 AM

FYI...

More FAKE AV - SEO poisoning
- http://blog.trendmic...lead-to-fakeav/
Nov. 18, 2009 - "TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET... FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches..."

(Screenshots available at the URL above.)

:grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 November 2009 - 06:20 AM

FYI...

Redirects to scareware - Thousands of web sites compromised
- http://blogs.zdnet.c...ecurity/?p=4947
November 17, 2009 - "Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe)*, commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js** (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu... the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet..."
* http://www.virustota...687e-1258481993
File nnovv_Inst_312s2.exe received on 2009.11.17 18:19:53 (UTC)
Result: 1/41 (2.44%)
** http://www.virustota...63be-1258479383
File css.js received on 2009.11.17 17:36:23 (UTC)
Result: 7/41 (17.07%)

- http://blog.trendmic...lead-to-fakeav/
Nov. 19, 2009

- http://blogs.zdnet.c.../?p=4297&page=2
"... the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered as a fear mongering tactic..."

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 19 November 2009 - 06:57 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 December 2009 - 05:17 AM

FYI...

Brittany Murphy's death - SEO Poisoning
- http://securitylabs....lerts/3514.aspx
12.21.2009 - "Websense... has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe*, and at the moment it seems they haven't attracted much attention from AV companies..."
* http://www.virustota...5aee-1261366024
File install.exe received on 2009.12.21 03:27:04 (UTC)
Result: 10/41 (24.39%)

(Screenshots available at the Websense URL above.)

- http://www.f-secure....s/00001842.html
December 21, 2009

:grrr: :ph34r:

Edited by apluswebmaster, 21 December 2009 - 07:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 January 2010 - 07:14 AM

FYI...

Office.Microsoft.Com search results can lead to Rogue AV
- http://securitylabs....erts/3519.aspx?
01.08.2010 - "Websense... has detected that search results on office.microsoft.com can lead users to a Rogue AV page. Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http ://office.microsoft .com, this is particularly troubling for users who trust sites simply because of their reputation. The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total*...."
* http://www.virustota...ad3d-1262943359
File Setup55530_2045-10.exe received on 2010.01.08 09:35:59 (UTC)
Result: 1/41 (2.44%)

(Screenshot/video available at the Websense URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 January 2010 - 07:45 PM

FYI...

Black Hat SEO Ice Skating Car Video
- http://securitylabs....erts/3522.aspx?
01.11.2010 - "Websense... has discovered that a popular video called "Paignton Ice Skating for Cars" has been targeted by both SEO poisoning attacks as well as Web spam. As a wave of icy weather is currently hitting large parts of Europe, the video has proved to be very popular, with currently more than 850,000 hits on Yahoo Video. A different uploaded version on YouTube has had more than 1 million views so far. Criminals have used the video's popularity as an opportunity to spread rogue anti-virus programs by poisoning the search results of major search engines. When the term "ice skating car" is searched via Google, nearly half of the search results on the first page redirect the user to rogue anti-virus sites. Clicking any of those links takes the user to a Web site with the message: "Your PC is at risk of virus and malware attack." That's an old trick used to lure unsuspecting users to download a fake anti-virus installer... The black hat search results in Google -redirect- the user through several sites, most of which are hosted in Russia, before finally landing in the rogue anti-virus site. The criminals often change the second site in the redirection chain in order to make it harder to detect. The file has a relatively low AV detection rate*..."
(Screenshot available at the Websense URL above.)
* http://www.virustota...657b-1263209375
File packupdate_build6_294.exe received on 2010.01.11 11:29:35 (UTC)
Result: 10/41 (24.39%)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 January 2010 - 05:35 PM

FYI...

Black Hat SEO - Haiti Earthquake
- http://securitylabs....lerts/3524.aspx
01.13.2010 - "Websense... has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program. The earthquake, which happened on Tuesday near Port-au-Prince, had a magnitude of 7.0 and is said to be the most powerful earthquake to hit Haiti... People around the world are searching the Internet to find the latest updates on this issue, wanting to know how to make charitable donations, trying to discover the extent of the calamity through photos or videos, and looking to see what their favorite artists and musicians are saying about the disaster. Unfortunately, the bad guys use major crises and events like this to spread their malicious code*..."
* http://www.virustota...0e89-1263413836
File Setup_88s1.exe received on 2010.01.13 20:17:16 (UTC)
Result: 4/41 (9.76%)
* http://www.virustota...0458-1263404507
File packupdate_build9_290.exe received on 2010.01.13 17:41:47 (UTC)
Result: 8/41 (19.51%)

(Screenshots available at the Websense URL above.)

- http://preview.tinyurl.com/ydls9yd
m86security
January 13, 2010

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 13 January 2010 - 07:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 January 2010 - 11:20 AM

FYI...

Searches for free printable items lead to mal-domains
- http://blog.trendmic...to-mal-domains/
Jan 26, 2010 - "... blackhat SEO attack that uses strings with the phrase “free printable” to hijack search traffic by directing it into a rogue search engine. Our researchers have found that search engine queries using the string “free printable” yield results that include compromised websites. The said compromised websites are rigged with malicious JavaScripts detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC triggers a set of redirections whenever the compromised sites are visited. The redirections ultimately lead to a rogue search engine, which by default puts the originally used search string into its own search text box. As of now, the cybercriminals’ goal in all this seems to be hijacking search traffic from search engines, and -redirect- them into their own search engine to earn them money. If it stays as such is not yet known, but users need to be wary, since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site... It is very possible that this blackhat search engine optimization (SEO) attack takes advantage of the fact that the interest for free printable items is relatively high, especially in South Africa and the United States. We are strongly advising users -not- to use search strings that include the word “free printable,” as the results may lead to malicious websites. We are currently monitoring this attack and will update this entry for developments..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 January 2010 - 08:14 AM

FYI...

More SEO poisoning attacks...
- http://isc.sans.org/...ml?storyid=8098
Last Updated: 2010-01-27 23:24:06 UTC - "... Recently we got details about two active SEO poisoning attacks for two specific hot topics:
* A new Facebook unnamed app. Sample search term: "facebook unnamed app".
- http://countermeasur...ads-to-malware/
* Today's Apple tablet announcement, called iPad. Sample search term: "apple tablet announcement".
- http://securitylabs....x?cmpid=slalert
The related search terms for these two hot topics in Google are returning top results pointing to sites that distribute malware. Apart from the common defense-in-depth practices regarding client and end point protection, one of the best recommendations is to demonstrate this type of attack on your security awareness programs, so that users do not blindly trust any output they get from search engines."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 February 2010 - 02:58 PM

FYI...

Various Olympics Related Dangerous Google Searches
- http://isc.sans.org/...ml?storyid=8239
Last Updated: 2010-02-15 20:26:18 UTC - "We have received reports about the (sadly expected by now) search engine poisoning for various Olympics related terms. For example the name of the killed Georgian luge athlete is used to redirect unsuspecting users to fake anti virus and other malicious content. The redirect is browser dependent. Firefox is usually redirected to "qooglesearch .com" (note the 'q' as first letter instead of a 'g'). It is probably advisable to watch out for DNS requests for this domain to spot possible infections. Internet explorer is redirected to a wide range of different domains which apparently are picked at random..."

(Video at the URL above: 2:44)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 February 2010 - 01:53 PM

FYI...

Kneber = Zeus...
- http://www.symantec....ogs/kneber-zeus
February 18th, 2010 - "... Symantec has also observed cybercriminals seeking to exploit computer users’ fears—spurred by all of the coverage that this threat is receiving* — by poisoning search engine results for keywords such as “Kneber Botnet Removal.” In fact, when analyzed by Symantec, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software..."
* http://www.spywarein...ndpost&p=716228

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 February 2010 - 06:19 PM

FYI...

SEO poisoning galore - leads to rogue AV...
- http://sunbeltblog.b...ll-but-its.html
February 26, 2010 - "... a “green” hot water heater that might be a good addition to his Earth-friendly home... did a Web search for “GE geo spring water heater.” What he found wasn’t Earth or anything else-friendly! SEO poisoning galore... It’s the SecurityTool rogue* that has been making the rounds since October..."
* http://rogueantispyw...curitytool.html

(Screenshots available at the Sunbeltblog URL above.)

:ph34r:

Edited by apluswebmaster, 26 February 2010 - 06:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 March 2010 - 10:12 AM

FYI...

SEO Poisoning sites use Flash for redirection
- http://www.f-secure....s/00001899.html
March 4, 2010 - "... another SEO poisoning stint... Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior... It seems that the bad guys want the malicious URLs to be hidden inside the SWF..."
(Screenshots available at the URL above.)

- http://techblog.avir...bruary-2010/en/
March 4, 2010

:grrr: :ph34r:

Edited by apluswebmaster, 04 March 2010 - 05:22 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 March 2010 - 06:17 AM

FYI...

SEO poisoning on TV show
- http://isc.sans.org/...ml?storyid=8383
Last Updated: 2010-03-08 17:08:18 UTC ...(Version: 2) - "... new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attack in the past*, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator"... The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware..."
* http://isc.sans.org/...ml?storyid=8098

Hackers exploit Oscars to spread scareware attack
- http://www.sophos.co...s-exploit-oscar
March 8, 2010 - "... By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer..."

:grrr: :ph34r:

Edited by apluswebmaster, 08 March 2010 - 11:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2010 - 12:21 PM

FYI...

Icelandic Volcano Erupts, Fake Antivirus Spews Forth
- http://www.symantec....rus-spews-forth
March 22, 2010 - "Yesterday there was a volcanic eruption in Iceland, near the Eyjafjallajoekull glacier, that has led the Icelandic authorities to declare a state of emergency in southern Iceland. People living nearby have been evacuated in case of glacial melt water flooding and the airspace near the now active volcano is effectively closed off. As you have probably already guessed, any event which commands a high level of public interest will be pounced on quickly by the makers of fake antivirus software in order to make a quick buck. This incident is no exception. Web searches for subjects relating to this eruption, such as "Iceland Volcanic Eruption" or "Iceland Volcano", will return results that may include dozens of hacked Web sites. It is not that difficult to spot the hacked sites with the fake antivirus redirection in the search results... A reasonable rule of thumb... look for domain names that suggest content unrelated to the news being searched for. For example, if you find a Web site whose domain name suggests it is about a painter or British castles, yet it appears in the search results for a story about the volcanic eruption, it is likely that the link is bogus and should be avoided... On the subject of hacked Web sites, it appears that the crew behind this campaign has a back catalogue of hacked sites they can call up and use at very short notice. On looking closer at the hacked sites, you will find that it looks like each of them has had a few hundred randomly named PHP pages added to them. Each of these pages redirects to a single server that is changed periodically... The sites have a series of fake scan pages, which it can display at random. The fake scan pages are designed to look like application windows in various versions of Microsoft Windows and include Windows XP and Windows Vista..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 April 2010 - 07:48 AM

FYI...

SEO poisoning attacks - researched
- http://www.sophos.co...hoslabs/?p=9264
March 31, 2010 - "Regular readers will have seen numerous recent SophosLabs blogs describing how attackers are poisoning search engine results in order to hit victims with malware. In recent months, these type of Search Engine Optimisation (SEO) attacks have become a route through which fake anti-virus malware is being distributed. One thing common to the attacks is that the SEO pages are hosted within legitimate sites. This makes it harder for the search engines to identify the rogue pages, and exclude them from search results. It also lets the SEO pages piggyback on the reputation of that host site, which may help boost the search engine ranking... SophosLabs have published a new technical paper* that describes how these SEO attacks are being managed, by analyzing a selection of the kits that are being used by the attackers..."
* http://www.sophos.co...eo-insights.pdf

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 April 2010 - 11:46 AM

FYI...

SEO poisoning - 2010 Masters
- http://preview.tinyurl.com/y76e8bw
April 12, 2010 - "For cyber criminals, distributing malware is as easy as increasing the Google page-rank of a malicious landing page. But before cybercriminals can do that, they need to ride on a hot topic that people are currently searching for... take an example of a current hot topic: "2010 Masters"... We have noticed that most search results point to a malicious PHP webpage... If you are unfortunate enough to click on one of these malicious links, it will point you to the usual fake antivirus scanner page and ask you to install a fake antivirus executable. After installation, this rogueware asks you to pay a fee to “disinfect” your machine of bogus malware... To make sure the fake antivirus doesn't get caught by any real malware detection tool, it stops your favorite antivirus and other security monitoring tools from running. It adds a key to the registry, so that instead of executing your antivirus process, the malware will execute a legitimate Windows program SVCHOST.EXE. Furthermore, the fake antivirus edits the Windows hosts file preventing Google, Bing and Yahoo search engines from opening in a browser, instead directing you to a malicious IP address... when doing your online searching, be wary and don't automatically trust search results especially when using Google."

:grrr: :ph34r:

Edited by apluswebmaster, 12 April 2010 - 11:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 April 2010 - 07:43 AM

FYI...

Search Engine results continue to be poisoned
- http://www.symantec....nue-be-poisoned
April 26, 2010 - "... poisoning search engine results with links to fake antivirus software is an effective way for attackers to infect users’ machines. As such, we constantly track search results for malicious links... Hackers clearly have a vested interest in ensuring their attacks are effective in poisoning Google results, most likely because of its large market share — Google’s breadth and speed of indexing will also play a role.
• On average at any given hour, 3 out of the top 10 search trends contained at least one malicious URL within the first 70 results.
• On average, 15 links out of the first 70 results were malicious for search terms that were found to be poisoned (had at least one malicious URL).
• On average on any given day, 7.3% of links are malicious in the top 70 results for top search terms.
• The most poisoned search term resulted in 68% of links leading to malicious pages in the first 70 results
• Almost all of the malicious URLs redirect to a fake antivirus page...
While attackers are sometimes more successful in poisoning certain search terms, this is primarily due to luck. They use an automated system to determine which terms to poison... These days, the attackers continue to be effective at poisoning search results. They have an automated infrastructure that is able to automatically collect the latest, most popular search trends and poison the results. So, be careful when clicking on search result links, especially when searching for hot search topics..."

(Screenshots and graphs available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 July 2010 - 06:44 AM

FYI...

SEO poisoning attacks - new variants...
- http://blog.trendmic...at-seo-attacks/
July 14, 2010 - "Using search engines and watching videos are two of the top Internet activities that users do on a daily basis. In the threat landscape, this usually translates to threats such as blackhat SEO attacks, malicious pages crafted to look like YouTube pages, and, as we recently found out, attacks that use -both- blackhat SEO and malicious YouTube-like pages. In the recent attack that we saw, query results... were found to initially lead to YouTube-like pages before displaying the all-too-familiar fake malware infection warnings. The results are most likely to be compromised sites, all injected with search keywords that will lure users into visiting them... page may trick the user into thinking that the link that they’ve clicked leads to a video, and that they need to install Adobe Flash Player to view it... the cybercriminals behind this attack have a keen eye for detail; not only did they use a convincing interface for the fake Adobe installer, they also used a URL that strongly suggests that it is an Adobe-related site. This is a very notable change, since blackhat SEO attacks have been known to bring about FAKEAV variants specifically. These changes are just a few that we’ve seen. Blackhat SEO attacks no longer just ride on the popularity of big news, as it did before. SEO poisoning attacks are being deployed every day, tainting searches and bringing forth malware..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 August 2010 - 02:28 AM

FYI...

New Massive BlackHat SEO Attacks
- http://blog.urlvoid....at-seo-attacks/
August 1st, 2010 - "... websites hacked and used in a new campaign of blackhat seo attack with the objective to -redirect- all users to very dangerous websites that spread the infamous and well known rogue security software and the other dangerous threats such as TDSS rootkit and Zeus..."

(Hijacked keywords and summary of malicious domains at the URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 October 2010 - 04:20 AM

FYI...

Halloween SEO poisoning...
- http://www.eweek.com...h-Terms-569624/
2010-10-30 - "Attackers are targeting people searching for last-minute ideas on Halloween costumes... CyberDefender identified a fake anti-virus Trojan downloader infecting pages that come up when searching for Halloween costumes. When users land on these infected pages, the fake anti-virus installer hijacks the user’s Web browser and initiates a malicious process, CyberDefender said. The infected PC becomes sluggish and slow-performing while exposing personal data, according to the company. One form, identified by Panda Labs*, displays a fake video player page and asks the user to download a codec in order to play the video. Popular search terms reflect what users are interested in at that time, making it a lucrative target. Criminals often create pages that are highly search engine optimized, with keywords reflecting currently popular search terms... Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms..."

* http://pandalabs.pan...lated-keywords/
"... top 5 most targeted phrases:
1. Halloween costumes
2. Halloween decorations
3. Halloween ideas
4. Adult Halloween costumes
5. Free pumpkin pattern ..."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 November 2010 - 04:24 PM

FYI...

SEO Poisoning - Election results...
- http://isc.sans.edu/...ml?storyid=9868
Last Updated: 2010-11-02 21:36:09 UTC - "We have seen a couple of instances of search result poisoning for election related search terms..."

- http://community.web...tions-wave.aspx
01 Nov 2010 - "... some search terms related to the ongoing event return sites employing black hat SEO... some of the infected sites already come with a warning. However, there are still a handful of Web sites that do not have warning messages attached to them. Search terms used in this attack include:
2010 midterm election
midterm election results
midterm election 2010
midterm election latest polls
midterm election 2010
midterm election season
midterm election latest polls gallup

At the time of writing, the black hat SEO'd sites appear benign, only redirecting users to what appears to be a blank page. A closer look at the code reveals that the page contains a URL to a rogue AV site... If you copy and paste this URL in your browser, it will redirect you to the rogue AV download page which prompts the user to download inst.exe, identified by 10 of 43 VirusTotal engines*..."
* http://www.virustota...d8f8-1288630936
File name: inst.exe
Submission date: 2010-11-01 17:02:16 (UTC)
Result: 10/43 (23.3%)
___

- http://community.web...v-election.aspx
2 Nov 2010 - "... we spotted further activity on what appeared to be blank pages from the Black Hat SEO... This particular attack is browser-aware, as the threats are specific to the browser being used... As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update* and Firefox Flash update** was about 27.9%* as confirmed by VirusTotal."
(Screenshots available at the URL above.)

* http://www.virustota...c60d-1288711379
File name: v11_flash_AV.exe
Submission date: 2010-11-02 15:22:59 (UTC)
Result: 12/43 (27.9%)

** http://www.virustota...9054-1288711390
File name: firefox-update.exe
Submission date: 2010-11-02 15:23:10 (UTC)
Result: 12/43 (27.9%)

:ph34r: :ph34r:

Edited by AplusWebMaster, 02 November 2010 - 08:52 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 November 2010 - 06:55 AM

FYI...

SEO poisoned search results - Prince William / Kate Middleton

- http://community.web...r-attacks.aspx?
16 Nov 2010 - "... attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world... searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results..."

- http://sunbeltblog.b...ounced-seo.html
November 16, 2010 - "The British royal family announced today that Prince William will marry his long-time girlfriend Kate Middleton next year. Every news source on the planet is gushing and the dark side of the Internet is taking advantage of the news coverage. Surf with care. A Google search for “Kate Middleton” results in a poisoned link..."

- http://community.web...ous-intent.aspx
17 Nov 2010 - "Ever noticed a magnifying glass next to your Google search results lately? It is actually a new service that Google launched last week called Instant Previews. This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. Simple? Yes. Secure? Not so much. Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume. Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not... We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday. Using Google's Instant Preview on the malicious search results may lead users into believing that the links they're clicking on is actually safe when in fact it's not..."

- http://www.theregist...gement_malware/
17 November 2010 - "... The process of manipulating search results - black hat search engine optimisation - has been going on for at least three or four years and is increasingly becoming automated. Hackers affiliated with scareware outfits in the Ukraine, Russia and elsewhere carry out the coding work."

Infected searches (chart)...
- http://community.web..._2D00_550x0.png
17 Nov 2010 - Filed under: Rogue AV, Blackhat SEO

:grrr: :ph34r:

Edited by AplusWebMaster, 23 November 2010 - 10:19 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 November 2010 - 03:47 PM

FYI...

SEO poisoning subject: Korea...
- http://blog.trendmic...eads-to-fakeav/
Nov. 23, 2010 - "News outlets all over the world are talking about the recent cross-border clash between North and South Korea... Within -hours- of the incident, certain Korea-related search terms were already poisoned... This malware redirects users to different pages based on their browser..."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 January 2011 - 06:33 PM

FYI...

SEO poison missed by Google...
- http://threatpost.co...g-google-012111
January 21, 2011 - "Attacks that use search engine optimization to push malicious pages into the top rankings on search engine results are on the rise in 2011, but new research from zScaler* suggests that efforts to identify and block the pages are paying meager dividends. A blog post by Web security firm zScaler* notes that Google's own data shows it spots just more than one in two malicious links served up by its search engine. Google reports that they are flagging 52 percent of all malicious links rendered by their search engine. When it comes to malicious links that lead to malware infected pages, Google flags a slightly higher 57 percent. Still, this only accounts for 44 percent of all spam across the Web..."
* http://research.zsca...er-2010_20.html
___

Be Careful What You Search For ...
- http://www.symantec....what-you-search
18 Jan 2011

:grrr: :ph34r:

Edited by AplusWebMaster, 22 January 2011 - 09:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#44 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 January 2011 - 05:05 PM

FYI...

Massive Blackhat SEO Malware Campaign Launched
- http://securehomenet...e-campaign.html
January 25, 2011 - "On January 23rd, thousands of machine generated attack sites were registered through GoDaddy via DNSPod name servers. These sites generally include a name of 5 characters in length, and utilize the .info TLD. The sites combine black hat SEO poisoning with virulent malware infections. At least one anti-virus vendor has labeled the infections as "not disinfectable". The structure of these sites take two forms. The attack sites utilize a technique known as wild card DNS. This enables an infinite number of subdomains to be created for a single domain name. Sites like pgkqy.info... refer to as the hounds, contain over 6000 links to the attack sites. The hounds' content (6000 links) consists of 200 links to the subdomains of 30 different attack domains... The hounds' large number of links serve to boost the search engine rankings of the attack sites. The attack sites themselves are littered with keywords and phrases designed to poison search engine results, and lure the unwary. These include references to celebrity sex scandals, teenage sex, and so forth. The attack sites also contain machine generated text consisting of numerous paragraph length narratives (in English and Mandarin). Inserted among these narratives are out of context messages, which resemble coded messages... One of the sites distributing malware to the visitors of the attack sites (code1.2bj.cc) has previously distributed malware deemed "exact, not disinfectable" by F-Prot. In that incident, anti-virus detection rates were approximately 50%... both hound site dsqof .info and attack site bjpwn .info are at 184.82.9.206. -All- are utilizing f1g1ns1 .dnspod .net as a DNS server. We will pinpoint more hostile IP addresses as time permits. You can pursue further investigation with the use of this file:
- http://doc.emergingt...udes_skynet.txt ..."
(Note "RussianBusinessNetwork" in the URL...)

:grrr: :ph34r: :grrr:

Edited by AplusWebMaster, 27 January 2011 - 08:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 April 2011 - 03:21 PM

FYI...

SEO poisoning - Google Image search...
- http://community.web...s-poisoned.aspx
21 Apr 2011 - "... Websense... has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are -still- poisoned and are leading to Neosploit again... From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser... we see it downloaded a PDF file that targeted -three- Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection*... Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others..."
* http://www.virustota...dbd4-1303201008
File name: neosploit.pdf
Submission date: 2011-04-19 08:16:48 (UTC)
Result: 6/40 (15.0%)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 May 2011 - 07:19 AM

FYI...

Blackhat SEO and Osama Bin Laden
* http://www.securelis...n_Laden_s_death
May 2, 2011 - "As always, when big news appear in the press the bad guys start blackhat SEO campaigns in popular search engines trying to lure users to install Rogueware. It's not different this time, with the top news about Osama's Bin Laden death being everywhere. The bad guys were quite fast and started to poison searches results in Google Images. Some of the search results are now leading users to malicious pages..."

- https://www.computer...pic_on_Internet
May 2, 2011

- http://www.us-cert.g...n_laden_s_death
May 2, 2011

:ph34r: :ph34r:

Edited by AplusWebMaster, 03 May 2011 - 11:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#47 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 May 2011 - 11:15 AM

^^^ (See previous post in this thread!)
___

Blackhat SEO, Osama Bin Laden’s death, Rogue AV
- http://www.malwaredo...rdpress/?p=1796
May 3rd, 2011 || 0day, New Domains, rogue antivirus - "... Searches on “Osama Bin Laden Body” * are leading users to malicious rogueware domains:
antivirus. cz. cc/fast-scan/ and pe-antivirus. cz. cc/fast-scan/hese
... domains will be blocked on the next update but you shouldn’t wait..."

- http://research.zsca...ed-malware.html
May 2, 2011 - "... went from seeing fewer than 1,000 URLs containing the terms 'osama', 'usama' or 'laden' on Sunday afternoon, to a peak of over 4 million** by 10am PST on Monday morning..."
** http://4.bp.blogspot...es per Hour.png

- http://www.virustota...bb93-1304434879
File name: file-2191417_
Submission date: 2011-05-03 15:01:19 (UTC)
Result: 35/41 (85.4%)
___

Osama malware scams spread to Facebook
- http://www.theregist..._malware_scams/
3 May 2011

- http://www.fbi.gov/n...-computer-users
May 03, 2011

- http://blog.commtouc...cebook-malware/
May 3, 2011

- http://www.f-secure....s/00002152.html
May 3, 2011

- http://community.web...n-facebook.aspx
02 May 2011
- http://community.web...nd-malware.aspx
02 May 2011

:ph34r: :ph34r: :ph34r:

Edited by AplusWebMaster, 04 May 2011 - 03:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#48 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 May 2011 - 01:47 PM

FYI...

WebbyAwards hacked - compromised w/Blackhat SEO
- http://blog.sucuri.n...ackhat-seo.html
May 4, 2011 - "The WebbyAwards web site (www .webbyawards .com) is currently hacked and compromised with Blackhat SEO. If you try to search for it on Google you will get a warning saying that “This site may be compromised” * ... if you look at the source code of the page, you will see thousands of hidden spam links in there (about selling Windows vista, buying office, etc) pointing to gl.iit .edu:8080, www .korea .edu, www .gefassembly .org, www .ncsconline .org and car .dost .gov .ph. Yes, all “important” and high PR sites (one university, two .gov sites, etc)... We have no details on how it was compromised yet, but we will keep you posted (if we hear back from them)..."
* http://3.bp.blogspot...s1600/webby.png

- http://www.google.co...y?answer=190597

:!: :ph34r:

Edited by AplusWebMaster, 05 May 2011 - 12:56 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#49 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 May 2011 - 04:23 AM

FYI...

Scammers - Google Images - malware
- http://krebsonsecuri...es-for-malware/
May 6, 2011 - "A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are using weaknesses in Google’s Image Search to foist malicious software on unsuspecting surfers. For several weeks, some readers have complained that clicking on Google Images search results directed them to Web pages that pushed rogue anti-virus scareware via misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry* saying they, too, were receiving reports of Google Image searches leading to fake anti-virus sites. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content. Google’s Image Search bots eventually will index this bogus content. If users are searching for words or phrases that rank high in the current top search terms, it is likely that thumbnails from these malicious pages will be displayed beside other legitimate results... Rogue anti-virus scams almost invariably rely on malicious scripts that can be blocked by the excellent Noscript add-on for Firefox, which lets you decide which sites should be allowed to run scripts.
If you happen to stumble upon one of these fake anti-virus security alerts, stay calm and avoid the urge to click your way out of it. Instead, simply hit Ctrl-Alt-Delete (Task Manager), select the browser process you are using (firefox.exe, iexplore.exe, etc.) and shut it down..."
* http://isc.sans.edu/...l?storyid=10822
Last Updated: 2011-05-04 08:04:42 UTC
___

If someone was told there's a minefield out there, and also the area where it was located, why would anyone choose to go through it anyway? 'Don't know, but they do.
Common sense dictates avoidance, at least - look for another way to get whatever it is you're looking for. There are -always- alternatives...
> https://www.ixquick.com/

... until things calm down and they get a handle on fixing the problem.

> http://www.google.co...c?site=AS:15169

:ph34r: :ph34r:

Edited by AplusWebMaster, 17 May 2011 - 11:02 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#50 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 July 2011 - 12:03 PM

FYI...

SEO poisoning @ MS Safety and Security Center ...
- http://sunbeltblog.b...nd-malware.html
July 08, 2011 - "The MS Safety and Security Center (leads to)... porn redirects, and sleazy porn sites invariably lead to malware... blackhat SEOs are seeding illegimate search results within the Microsoft search results... It's Zugo*,a Bing-branded search toolbar with a history of being installed through exploits and other misleading/deceptive means... hope this all gets cleaned up soon..."
* http://www.virustota...8f6e-1311373610
File name: XvidSetup.exe
Submission date: 2011-07-22 22:26:50 (UTC)
Result: 4/43 (9.3%)

- http://www.theregist...nks_poisioning/
11 July 2011

:grrr: :ph34r:

Edited by AplusWebMaster, 23 July 2011 - 04:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button