Thousands of web sites compromised, redirect to scareware

blogs.zdnet.com

Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe), commonly referred to as scareware.

More details on the campaign:

The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang – in this case Google, Yahoo, Live, Altavista, and Baidu :

“Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string. As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.”

At first, it would appear that the campaign is an isolated one and is maintained by a cybercrime enterprise yet to be analyzed. However, analyzing it reveals a rather anticipated connection – the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet. For instance, the domains mentioned by Cyveillance, as well as the newly introduced ones over the past couple of hours, are the very same domains currently embedded on Koobface infected hosts. Read more…

Related posts:

1. Microsoft patches 34 security holes, many critical www.examiner.com REDMOND, Wash. – Microsoft Corp. issued a record...
2. Google denies censoring anti-Islam search suggestions telegraph.co.uk Google has denied favouring Islam over other religions...
3. CIA’s Technology Arm Taps Open Source for Enterprise Search The company in charge of providing technology to the...
4. China backs down over Green Dam internet monitoring software www.independent.ie China has dropped plans to force all its...
5. New Google tool too intrusive, German minister says In its latest attack against Internet giant Google, the...
6. Google to end censorship in China over cyber attacks Decision from world’s leading search engine comes amid a...
7. Big websites urged to avoid Phorm Seven of the UK’s biggest web firms have been urged...
8. Italians say pasta la vista to Microsoft by Nick Farrell www.fudzilla.com Get that software off my...
9. Porn sites blocked on MPs’ computers www.connexionfrance.com February 22, 2010 MPs in the French national...
10. Beijing Adds Curbs on Access to Internet HONG KONG — The Chinese Health Ministry on Thursday ordered...