Breakdown: Criminals use midterm elections to spread Malware

Criminals are using the election season to spread Rogue anti-Virus software and other related Malware. Here is a breakdown on the latest search engine attacks, including what to look for and, if you’re a webmaster, how to determine if you’ve fallen victim.

The Tech Herald has covered BlackHat SEO attacks in the past, and if you’ve followed along you know that criminals love to spike search results in order to spread Rogue anti-Virus applications and other Malware. The good news is that most of the poisoned search results are being flagged by Google, the down side is that newer domains are taking their place.

Security vendor Websense posted a warning that criminals were using search terms related to the elections this year to spread Rogue anti-Virus software. After reading its blog post on the topic, we did some digging and discovered dozens of sites poisoning hundreds of search terms related to the midterm elections, political figures and topics, as well as current events and trending topics from the past week.

The attack on the end user starts with a Web search. Google is the popular vector, but Yahoo and Bing are also avenues of attack. Searching for midterm election results, on a local or national scale, will return plenty of coverage--especially given the amount of heated debate on both sides.

The catch is, keywords like “election results 2010”, “midterm election results”, “election polls”, “midterm election polls 2010”, and related terms including “AARP”, “Virginia Governor”, “New Jersey Governor”, “Gallop”, “electoral coverage”, “Senate races” and “political figures”, are commonly used by the public, so they’re easily targeted and exploited by criminals.

Some malicious links using those keywords attack instantly, while others have links to malicious domains embedded in comments or posted articles. Either way, the criminals are using many of the same scripts we’ve seen in the past to pull off an attack. The scripts will strip the search terms and create a dynamic listing by scraping content from other domains and related search results.

What this does is create a search result that, when viewed in a search engine, appears to have everything a person is searching for, thus enticing them to click the link. The poisoned results are pushed higher in the rankings by maintaining keyword relevance, as well as link popularity by joining several compromised domains together.

Once a malicious link is clicked, the attack will forward the victim to another domain, where the Rogue anti-Virus software is delivered. In the case of Malware in general, some of the domains are using embedded code on the hijacked site to exploit client-side software, which allows them to deliver the malicious payload without the victim being aware. If not, then they forward the user off to a malicious domain to perform the attack.

Other topics that are leading to poisoned search results include “cannabis”, “Emma Watson”, “2009 election results”, popular TV show “Glee”, “job loss and creation”, “presidential approval ratings”, and “absentee balloting”.

Here are some tricks to determine if you are an unwitting victim to the BlackHat SEO schemes.

While digging into the BlackHat SEO attacks, we noticed many of the same patterns as before. Most of the malicious links use random PHP scripts to operate, and they are easy to spot based on the naming convention used.

If you search for your domain using the “site:” operator and trending keywords, you’ll notice them in the results. Make note that these files and the names are dynamic and generated on the fly in most cases, so they may not appear in a check of the Web server itself.

In some of the more recent BlackHat SEO attacks, we noticed that installations of WordPress, the popular blogging software, were compromised in order to propagate the attacks. The rogue files are added to the WordPress core installation, under the “/pomo/” directory.

As you see in the image above, the red section shows a malicious site with the randomly named PHP file linking to a compromised WordPress installation. The attacks on the WordPress installations seem to date as far back as March, but most of the malicious links were indexed as recently as October 31. While possible that the compromise is due to a flaw in WordPress, there is no solid evidence.

The images above show a malicious search result using a PHP file that is not part of a typical WordPress installation. The “so.php” file, as well as the “logs” file that accompanies it, were added to the “/pomo/” directory after the site was compromised. Looking at some of the installations, it would appear the “/pomo/” directory is present in WordPress installations 2.8.x up to 3.0.1.

As a webmaster you can check for the presence of these files. If found, remove them and secure the file structure of the server. As mentioned, there is no proof that a vulnerability in WordPress is the cause of these hijackings. However, WordPress has been vulnerable in the past, along with scores of the add-ons, or “plugins”, available for the blogging software. The best bet is to make sure that WordPress installations, as well as any installed add-ons, are kept current.

This is in addition to practices used to harden a server from attack, due to the fact that any given vulnerability that would allow unrestricted access to the server can be used to compromise hosted sites and use them for BlackHat SEO campaigns.

If you are interested in the elections, or the latest current events, the safest way to learn more about them is to stick to legitimate news sources and/or trusted blogs. You can find these via Google News or Yahoo News, as well as places like Digg and Reddit.

Webmasters should always make sure that they're using the latest build of a given software package. In the case of WordPress, they spend a good deal of time researching the code and are often quick to patch security problems. The newest versions will prompt you when new releases are available in the admin area, so you should check there frequently and update as needed. The same goes for any add-on modules that are used to enhance WordPress installations.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]