Cybercriminals syndicating Google Trends keywords to serve malware
Summary: In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google's Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live's Spaces.
In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google's Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live's Spaces.
According to a recent advisory issued by Webroot :
"For the first time, hackers are capitalizing on the top news stories from Google Trends Labs, which lists the day's most frequently searched topics, which can include news of the Wall St. bail out or the presidential campaign," said Paul Piccard, director of Threat Research, Webroot. "These highly relevant news stories and videos are being posted to the hackers' fake blogs to increase the site's Google search rankings.
These fraudulent blogs contain several video links about the news story for which the users were originally searching. Once a user clicks on one of the video links, they are prompted to download a video codec that downloads a rogue antispyware program designed to goad the user into purchasing an illegitimate program that may put their personal information and data at even greater risk. "
Let's take a sample, and confirm the ongoing syndication of popular keywords in order to attract traffic to the several hundred malware serving blogs.
A random keyword "on fire" like gwen ifill wheelchair indicates that 55 minutes ago a malware serving blog has been successfully crawled and is now appearing within the first 10 results thanks to the high page rank of Windows Live Spaces. Upon clicking the link, the user is exposed to the typical ActiveX Object Error message that is attempting to trick them into installing TrojanDownloader:Win32/Zlob.AMV with 10 out of 36 AV scanners currently detecting it (27.78%).
Moreover, in order to ensure that their fake blogs will get crawled in the shortest time frame possible so that they can better abuse the momentum peak of the search query, they're naturally taking advantage of the pre-registered blogs at popular blogging platforms which Google is crawling literally in real-time. Syndicating this particular keyword in order to serve malware is not an isolated event, with several hundred currently active blogs doing exactly the same as soon as Google Trends refreshes its hourly feed.
Malware campaigns have been taking advantage of pure SEO (search engine optimization), and mostly blackhat SEO techniques, during the entire 2008. The difference between the ongoing campaign and previous ones, is that the current approach has a higher probability of attracting generic search traffic since it's relying on the world's most popular search engine to tip them on what has the world been searching for during the past hour.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Large networks are increasingly...
The issue discussed in this article plus the hacking of CAPTCHA's are two prime examples of non-human network management. These networks need to re-examine their methods or be shut down.
So, What Are You Proposing?
should be standards for large network systems
RE: Cybercriminals syndicating Google Trends keywords to serve malware
RE: Cybercriminals syndicating Google Trends keywords to serve malware
RE: Cybercriminals syndicating Google Trends keywords to serve malware
You need an in depth defense to fight this kind of threat..
The last time I was attacked by a Google link and these conditions mitigated it:
1. I was logged in as a restricted user.
2. Site Advisor had a question mark by the link but I clicked on it anyway - big mistake!
3. Secunia PSI helped me keep my Adobe Reader up to date and the malware attempted to use past vulnerabilities to gain administrative control, but was unsuccessfull after three attempts.
4. ESET NOD32 nailed the culprit instantly upon coming through the firewall, and slammed it in every one of the three attempts to attack.
This along with many others like Spyblaster, Spybot Search & Destroy, Comodo Firewall Pro,Snoopfree Privacy Shield, CCleaner, a good host file blocker(recommended by TechRepublic)which will sometimes prevent the redirects cause by bad website practices; and many more. I'm just naming a few.
There are also good programs listed at CNET(download.com) that can keep your private information both off your hard drive or encrypted so it can't be absconded. The only problem with these programs is they have security vulnerabilities of their own, so I uninstall them immediately after removing the information; and occasionally reinstall to check for potentially damaging personal data on a scheduled basis.
I don't go for the programs that simply keep cookies off IE 7 or other browser, or are simply enhancements to privacy protection already included in IE 7. I use only utilities that literally block the data from leaving the computer in the first place like the ones purchased with PC-cillin or Norton.
These programs block data from leaving port 80 on non SSL sessions, Internet Messaging, or email. Both Trend and Symantec have become too unwieldy for me, though, so I just delete the data from my computer and use iVault(Comodo) to enter the information on the web. Some people like the paid versions from other vendors better.
RE: Cybercriminals syndicating Google Trends keywords to serve malware
Re: OpenDNS--a Good Thing.
On Mozilla, NoScript also.
Even better have a Mac in which most of this junk is written for will not work since they write it for MS Windows world.
Open DNS not always the answer...
Also not the definitive answer to the new DNS poisoning vulnerability:
http://msmvps.com/blogs/alunj/archive/2008/07/25/1642098.aspx
The issues have been hashed out on several Tech Republic articles, if anyone is interested enough to check for themselves.
RE: Cybercriminals syndicating Google Trends keywords to serve malware
The only disadvantage is that I have to switch to the Administrator account to really install something. But that doesn't happen very often, and is a small price to pay to be safe from this malware.
RE: Cybercriminals syndicating Google Trends keywords to serve malware
Google needs to beef up it's search engine, to prevent Google Trends from indexing malicious websites without first posting a warning.
Microsoft on the other hand, needs to redesign their captcha system. Use Silverlight, make a unreadable logo. As I last checked, programs cannot read the content of a silverlight or flash application. only that applet it self can.
Meanwhile, users should beware, if you notice a file download message on ANY browser and you did not click a link to download it, DO NOT DOWNLOAD THE FILE. In 9 out of 10 cases, when that happens the file is malicious.
By the way, to the people who think Mac's are virus free, A mac will only stay virus free while it isn't pouplar. If the Mac's ever surpass Windows, then all the viruses will be aimed for Mac's and Windows will become the Utopian computer.
your best posting so far, Dancho
us know about something very important.
I appreciate that you stay away from the 'huge
problems' when Quicktime releases a fix, and so forth
nonsense as some of your blogging partners use very
irresponsibly.
Thank you,
Narr vi
Patch for java is successful and posted.
KX125! Please.