[LINK] 'perfect storm of trusted website abuse'

stephen at melbpc.org.au stephen at melbpc.org.au
Fri Feb 27 16:12:51 AEDT 2009 

> From:  SecurityProNews <securitypronews at ientrynetwork.net> 
> Date:   Thu, 26 Feb 2009 17:11:29 -0500 
> Subject:   Google Trends Abuse Highlights Malware Perfect Storm 


It used to be one was at most risk of getting a computer virus via spam 
or frequenting bad Internet neighborhoods (places one probably shouldn't 
be hanging out in the first place, picking up just any old download they 
come across). 

These days malware pushers have come out in the open where the masses 
collect, and places like Google, Facebook, and Twitter are starting to 
resemble the Time Square of old-with peril and vice all around. 

Today's aggressive and spooky abuse of trusted giants reveals just how 
sophisticated and manipulative these guys have become. 

By following Google Trends, and with some sharp SEO skills to take 
advantage of Google's famed real-time indexing, Scammers are directly 
targeting Google's search results, trusted by as many as 70 percent of 
Internet searchers. 

McAfee researcher Craig Schmugar points to the recent Gmail outage as an 
example. 

When that happened, many were searching for the cause or solution to the 
problem, and Schumagar shows how a malicious link copying verbatim the 
top news source text as a snippet, shows up fourth in the search 
rankings, following highly recognizable and trusted sources like Google 
News, Digg.com, and Mashable. 

A subsequent link query found the domain linked to several other trending 
topics: Quiznos (a free sub giveaway promotion), Sharon Stone at the 
Oscars, Extreme Makeover foreclosure, Nicky Hilton, IHOP all you can eat 
pancakes promotion. All of them obviously target what the average 
searcher may be seeking. 

That same malicious link-which led to a scareware prompt only if arriving 
via a search engine (gibberish if you just enter it into a browser, 
thereby masking the intent some)-was also found directly on the Google 
Trends page for Ash Wednesday, which was yesterday. 

"I do not recall any previous attacks abusing Google Trends this 
aggressively," said Schmugar. "The malicious links are being distributed 
across numerous sites, targeting many high-profile search terms, and the 
poisoned links are regularly appearing high up on Google results pages." 

Because of this, Schmugar doubts there is a link between the "Error Check 
System" message many Facebook users received. 

Facebook has been criticized for allowing this because the company 
doesn't verify or approve third party applications. Allowing the app 
allowed friends to be spammed with the same message, and searching the 
phrase led them to similar scareware index-related peril. 

However, this new aggressive targeting of popular search trends, and 
Facebook's odd spam messaging, occur simultaneously with other 
social/Google-related incidents. 

This week, Google Talk users were bamboozled by an invitation to click a 
shortened (read: masked) URL to a dangerous supposed video site. 

To reach email inboxes more frequently, spammers are masking links 
typically ousted by filters by using Google search links to the target 
site instead of the URL itself. 

Twitterers also fell prey to URL shortening "Rickrolls" to dangerous 
sites recently, submitted by people they follow. Why are they following 
scammer strangers? Because some use scripts to follow those who follow 
them automatically to build up their follow lists. In addition, Twitter 
doesn't verify email addresses, making it easy for spammers to sign up. 

Targeted trusted social networks and social applications may have two 
purposes. One is obviously to abuse the trust users themselves place in 
them. The other may have to do with SEO. Everybody and their brother 
might create content based upon explosive search trends, but their not 
reaching the top of the search results that quickly. Scammers are likely 
arriving there by taking advantage of trusted sites to gain "trusted" 
links, largely upon which Google bases its results. 

InternetStormCenter's Swa Frantzen illustrated how malware users dupe 
webmasters into giving over their trusted link juice. 

By posing, for example, as a webmaster from a university, scammers email 
a webmaster of a site linking to the university's site and say that site 
will no longer be active in the coming week, thus breaking that 
webmaster's outgoing link. The scammer tells the webmaster to link to 
another domain instead (maybe a similar dotcom instead of a dotedu), 
which is in fact an iframe imposter. 

All of this is creating a perfect storm of trusted website abuse leaving 
millions upon millions vulnerable. 

All of the sites mentioned need to take aggressive steps against these 
actions. Google needs to make some adjustments to its crawlers, Facebook 
needs to start verifying and approving third party apps, Twitter needs to 
start requiring valid email addresses, and users should be wary of 
shortened URLs supplied by strangers.

http://www.securitypronews.com/insiderreports/insider/spn-49-
20090226GoogleTrendsAbuseHighlightsMalwarePerfectStorm.html#resume

About the Author:
Jason is a graduate of the University of Kentucky. He covers business, 
technology, and security issues.  

--

Cheers,
Stephen

More information about the Link mailing list