[LINK] 'perfect storm of trusted website abuse'
stephen at melbpc.org.au
stephen at melbpc.org.au
Fri Feb 27 16:12:51 AEDT 2009
> From: SecurityProNews <securitypronews at ientrynetwork.net>
> Date: Thu, 26 Feb 2009 17:11:29 -0500
> Subject: Google Trends Abuse Highlights Malware Perfect Storm
It used to be one was at most risk of getting a computer virus via spam
or frequenting bad Internet neighborhoods (places one probably shouldn't
be hanging out in the first place, picking up just any old download they
come across).
These days malware pushers have come out in the open where the masses
collect, and places like Google, Facebook, and Twitter are starting to
resemble the Time Square of old-with peril and vice all around.
Today's aggressive and spooky abuse of trusted giants reveals just how
sophisticated and manipulative these guys have become.
By following Google Trends, and with some sharp SEO skills to take
advantage of Google's famed real-time indexing, Scammers are directly
targeting Google's search results, trusted by as many as 70 percent of
Internet searchers.
McAfee researcher Craig Schmugar points to the recent Gmail outage as an
example.
When that happened, many were searching for the cause or solution to the
problem, and Schumagar shows how a malicious link copying verbatim the
top news source text as a snippet, shows up fourth in the search
rankings, following highly recognizable and trusted sources like Google
News, Digg.com, and Mashable.
A subsequent link query found the domain linked to several other trending
topics: Quiznos (a free sub giveaway promotion), Sharon Stone at the
Oscars, Extreme Makeover foreclosure, Nicky Hilton, IHOP all you can eat
pancakes promotion. All of them obviously target what the average
searcher may be seeking.
That same malicious link-which led to a scareware prompt only if arriving
via a search engine (gibberish if you just enter it into a browser,
thereby masking the intent some)-was also found directly on the Google
Trends page for Ash Wednesday, which was yesterday.
"I do not recall any previous attacks abusing Google Trends this
aggressively," said Schmugar. "The malicious links are being distributed
across numerous sites, targeting many high-profile search terms, and the
poisoned links are regularly appearing high up on Google results pages."
Because of this, Schmugar doubts there is a link between the "Error Check
System" message many Facebook users received.
Facebook has been criticized for allowing this because the company
doesn't verify or approve third party applications. Allowing the app
allowed friends to be spammed with the same message, and searching the
phrase led them to similar scareware index-related peril.
However, this new aggressive targeting of popular search trends, and
Facebook's odd spam messaging, occur simultaneously with other
social/Google-related incidents.
This week, Google Talk users were bamboozled by an invitation to click a
shortened (read: masked) URL to a dangerous supposed video site.
To reach email inboxes more frequently, spammers are masking links
typically ousted by filters by using Google search links to the target
site instead of the URL itself.
Twitterers also fell prey to URL shortening "Rickrolls" to dangerous
sites recently, submitted by people they follow. Why are they following
scammer strangers? Because some use scripts to follow those who follow
them automatically to build up their follow lists. In addition, Twitter
doesn't verify email addresses, making it easy for spammers to sign up.
Targeted trusted social networks and social applications may have two
purposes. One is obviously to abuse the trust users themselves place in
them. The other may have to do with SEO. Everybody and their brother
might create content based upon explosive search trends, but their not
reaching the top of the search results that quickly. Scammers are likely
arriving there by taking advantage of trusted sites to gain "trusted"
links, largely upon which Google bases its results.
InternetStormCenter's Swa Frantzen illustrated how malware users dupe
webmasters into giving over their trusted link juice.
By posing, for example, as a webmaster from a university, scammers email
a webmaster of a site linking to the university's site and say that site
will no longer be active in the coming week, thus breaking that
webmaster's outgoing link. The scammer tells the webmaster to link to
another domain instead (maybe a similar dotcom instead of a dotedu),
which is in fact an iframe imposter.
All of this is creating a perfect storm of trusted website abuse leaving
millions upon millions vulnerable.
All of the sites mentioned need to take aggressive steps against these
actions. Google needs to make some adjustments to its crawlers, Facebook
needs to start verifying and approving third party apps, Twitter needs to
start requiring valid email addresses, and users should be wary of
shortened URLs supplied by strangers.
http://www.securitypronews.com/insiderreports/insider/spn-49-
20090226GoogleTrendsAbuseHighlightsMalwarePerfectStorm.html#resume
About the Author:
Jason is a graduate of the University of Kentucky. He covers business,
technology, and security issues.
--
Cheers,
Stephen
More information about the Link
mailing list