Blogger System Sites Used for Phishing

jimbojw writes "In a recent security advisory Fortinet is reporting that due to Blogger's popularity, hackers have started to embed malicious scripts on some blogs. 'These scripts have shown up on hundreds of Blogger.com sites. In some cases, a variant of the Stration mass mailer is responsible for directing traffic to the Blogger.com sites.' CNET reports on the situation, quoting an unnamed Google representative as saying 'These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted.' The blogs in question use meta or JavaScript redirection to push traffic to a phishing or malware site. Links to the blogs are subsequently mass-mailed by infected visitors — typically via worms in the Stration family. We can only hope that this will not cause Google to remove Blogger.com's templating engine — which is both a source of its strength, and a potential liability as illustrated by these recent attacks."

Good old javascript

[Anonymous Coward]

This stuff just isn't ever going to be fixed. Some folks may not like it, but with all these silly problems, AJAX is the new MS Windows of the 21st century.

No, that's not a troll. Just an observation that many want to cover up.

SPAM

[mastershake_phd]

Not to mention blogs set up just to be filled with spam. Google must give these popular sites some leeway, before delisting them.

That's a STRENGTH?

[ScentCone]

A template that allows people to slap a meta redirect into the header is strength that they hope Google will still respect? If you want to play those games, host your own site. The point of these blog-o-spaces is to let people do the easy stuff, not monkey with redirection. On the other hand, I can see how it might take, oh... at least 10 minutes to write a filter that would block the meta redirects on their side of things. That is a lot to ask, even in the face of being Google-blacked.

Re:They did what?

[evought]

In relatively early versions of TCL, they had the ability to create a sub-interpreter. The controlling interpreter could then populate the sub-interpreter with whatever commands and environment were deemed safe and create limited connections between the interpreters. Scripts running in the sub-interpreter simply did not have access to anything else. We used this to execute user scripts and configuration files in secure setups where anything coming in from the outside could be considered suspect. This could easily be done with javascript where untrusted pages/scripts would run in a limited sandbox. It was not terribly inefficient, either (against the interpreter overhead) and could even be nested. The page itself could even request such treatment, or an otherwise trusted page could request it for certain blocks of code. This pushes the actual security responsibility to the interpreter where it arguably belongs anyway. The client could decide it doesn't like the whole page and run it all in a sandbox.

Overall, I think javascript is much overused and abused for what should be simple content.

Re:They did what?

[klenwell]

Agreed, but the ability to fully edit the source does make Blogger more fun than a lot of other 2.0 sites and I'd hate to see it go away.

Interestingly, both Blogger and Googlepages are now Google services. Blogger is obviously meant for blogging and Googlepages for setting up common web pages, but Googlepages is a headache and Blogger offers the ability to edit the source. So if I need to set up a random web page on the web and I want it to look like I want it to look (and not have ads plastered all over it), I'll use Blogger. I don't know anywhere else on the web where I can do this.