Cyveillance has discovered a new breed of attacks, masked within Google search results, that use Web redirects to infect users. In the last week, Cyveillance has identified more than 350,000 links that infect Google search results, acting as a gateway to Rogue anti-Virus infections and other Malware.
Malicious search results hit Google on a large scale.(IMG:J.Anderson)
According to Cyveillance, the path from the hijacked pages listed in the BlackHat search results to the fake anti-virus software drop sites is swift and likely not noticed by the user.
A single click on an innocent-looking Google search result and the user is transported to a “middle man” domain like ionisationtools.cn or moored2009.cn. The server at these domains will then redirect the Web surfer to a final destination, where they are presented with an antivirus pop-up alerting the user to the discovery of “31 Malware programms was found!” (sic).
The common string “albums/bsblog/category” is found in the URLs for all these blogs. Using Google search, you can see for yourself the volume of sites. As of this morning there were 261,000 sites listed. [Warning: Most of the tested results were malicious. Do not follow them unless you are sure of what you are doing.]
“On all the infected sites found there is rogue blog publishing software installed, sometimes in the popular online photo gallery software Coppermine,” said Cyveillance in a report on the infections. The most recent version of Coppermine is 1.4.25, the version of Coppermine used in the attacks is 1.4.24.
“These rogue blogs automatically and regularly publish new posts that are titled with esoteric terms like ‘las vegas rental no credit check’, ‘real world melinda and danny’, or ‘uninvited song lyrics alanis morrissette morissette’.”
Cyveillance said that it appears that the authors of this exploit are taking advantage of rare combinations of search terms, that in aggregate make up a very large portion of the queries made by web surfers in search engines.
“In fact, a surprising amount of internet searches contain four and five words, and the authors of this attack appear to have titled their blogs’ titles with this in mind to be exposed to as many potential victims as possible.”
Another interesting observation is that the links appear to focus on Google alone.
“We learned this by taking several domains that contained the infected Coppermine installs and used Bing’s site: command and Yahoo!’s Site Explorer; neither of these search engines returned any URLs which contained this particular exploit in action, suggesting that Google is the only major search engine being used as the attack vector by these malware distributors.”
As a user, hijacked search results are hard to avoid, and the Rogue anti-Virus that can come from them are even worse. The best method of protection is to remain vigilant when clicking links, and keep your operating system software and security software up to date.
Cyveillance recommends that Google investigate all URLs in its main index, which contains the common string. Additionally, they warn webmasters to ensure that software is constantly kept up-to-date with the latest releases.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story