Forgot your password?
typodupeerror
Security Google

Massive Badware Campaign Targets Google's "Long Tail" 88

Posted by kdawson
from the too-much-time-on-their-hands dept.
A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."
This discussion has been archived. No new comments can be posted.

Massive Badware Campaign Targets Google's "Long Tail"

Comments Filter:
  • But it sure does have a hell of a deep end.

  • Yet Another Reason (Score:4, Informative)

    by causality (777677) on Friday November 27, 2009 @12:10PM (#30246160)
    to use anti-tracking measures. For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been. I use several other measures as well (such as redirect removers) because Web sites are on a need-to-know basis and I don't recognize their need to know where I've been or how I got to their page. If I visited such a blog from Google, the blog site would not know it and it would look to the site like I just went directly to its page. I use Linux but if I were using a Windows system vulnerable to these exploits, I still would not receive the exploits. There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.

      • by farlukar (225243) on Friday November 27, 2009 @12:21PM (#30246252) Homepage Journal

        With the web developer toolbar [mozilla.org] you can disable referrers.

      • by causality (777677) on Friday November 27, 2009 @12:28PM (#30246314)

        Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.

        I use Firefox on Linux with several addons. For the HTTP Referrer, I use an addon called RefControl. I have it set to fake the referrer by default. So if I do a Google search and from the search results decide to click on http://www.someblog.com/blogs/page.html [someblog.com], the Web server does not receive a google.com referrer. The referrer it receives is http://www.someblog.com/ [someblog.com]. The only exceptions are certain Web sites I do business with, because this fake-referrer behavior can break some shopping carts. That particular add-on lets you specifically exempt certain sites and only those sites.

        In addition to that, I use Adblock Plus with the Element Hiding Helper and the Easyprivacy+Easylist subscription. I also use NoScript and that alone takes care of many Javascript tricks that redirect or obfuscate the actual destination of a link. I also disable so-called "HTTP PING", which can be done in Firefox under "about:config". My /etc/hosts file is 1.5MB, all of which blocks various ad servers by directing them to localhost. My machine will not accept any references to Google Analytics or various other analytics/tracking services. As a side-effect, all of this makes pages load much faster.

        When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

        I've always felt that if your business model relies on getting information about me against my will, then your business model deserves to fail. I'll add too that the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs. The measures I describe above do not provide real computer security -- they provide human privacy. In this case, however, they make it much harder for the sites in question to target you because their "targeting data" is based on first compromising your privacy.

        • by Tim C (15259) on Friday November 27, 2009 @01:14PM (#30246712)

          the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

          There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

          • by causality (777677) on Friday November 27, 2009 @01:42PM (#30246956)

            the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

            There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

            I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.

            From the article:

            These site (they act only as redirectors) immediately redirect people further to acual scareware sites (e.g. antivir3 .com, antimalware-3 .com, cyber-scan008.com etc.) which perform a fake test and make people think that their computers are infected (Displaying Windows interface even for Linux and Mac users ;-)). Pretty much the same as what I described a year ago. Just slightly improved interface (the fake warning window is now draggable!). Don’t be fooled.

            Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.

            I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.

            I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"

            The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.

            The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account

            • Re: (Score:3, Informative)

              by nabsltd (1313397)

              Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site.

              This is a good idea, but unfortunately dynamic HTML allows the creation of "windows" within the browser, and there really is no way to limit this without seriously destroying page layout.

              Sure, these moveable HTML elements are confined to the browser window, but I think that somebody who would believe that a web site has "scanned" a D:\ drive that doesn't exist and found malware wouldn't notice that a window wasn't "outside" the browser.

        • When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

          I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.

          • Re: (Score:3, Interesting)

            by causality (777677)

            When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

            I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.

            Try turning off Javascript. Or in my case, leave Javascript turned on and use NoScript. I personally add all Google domains to the "untrusted" list of Noscript. For me, there are no redirects of any sort. I get the direct URLs. I can copy-and-paste them into a new tab and it's a direct link straight to the site with no evidence that it came from a Google search. Of course, not using Google's Javascript means that my statusbar is honest about where the link goes, so there's no need to do all of that ju

        • +INFINITY (Score:3, Interesting)


          This is possibly the best post that has ever been made at /.

          I have been wanting the ability to mask HTTP REFERRER [sic sic] since practically Day One of getting on the WWW [and certainly since the first time I ever put a sniffer on the network stack and saw all the personal information that was being given away to God-only-knows whom].

          It's hard to believe that it's taken us almost two decades to be able to surmount the single most egregious mistake [ietf.org] that Tim Berners-Lee made in designing [or mis-designi
        • The HTTP referrer field may create privacy concerns for some people, but there are definite concrete benefits in web development to having data from this field available on an aggregate level. Examples:

          - See the paths people take when browsing a site, and arrange/optimise the design accordingly (generaly to make browsing a site easier)
          - See what search engine queries generally land a user at a page, so in the long run the content can be tailored towards what people are actually searching for

          I don't
          • by causality (777677)

            The HTTP referrer field may create privacy concerns for some people, but there are definite concrete benefits in web development to having data from this field available on an aggregate level. Examples:

            - See the paths people take when browsing a site, and arrange/optimise the design accordingly (generaly to make browsing a site easier)
            - See what search engine queries generally land a user at a page, so in the long run the content can be tailored towards what people are actually searching for

            I just

          • Anyone who would actually care about this is also blocking cookies and javascript and won't show up in your web analytics in the first place. Even if ever browser had a prominent "block referrer" option, 90% of people wouldn't bother.

    • Re: (Score:1, Redundant)

      For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been

      Want that. Is that a released add-on or did you just patch and recompile the source?

      • Re: (Score:3, Informative)

        by causality (777677)

        For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been

        Want that. Is that a released add-on or did you just patch and recompile the source?

        I use the FireFox addon RefControl [mozilla.org] to handle the HTTP Referrer.

    • by dyefade (735994)

      There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.

      Please explain why you'd rather not reveal your referrer data. (New example from TFA aside.)
      Working with web analytics, I can say referrer information is extremely useful, and not in a way which would lead you to any downsides, that I can think of at least.

      (Not trolling, I'm genuinely interested...)

      • Please explain why you'd rather not reveal your referrer data. (New example from TFA aside.)

        Maybe if you're embarassed because you still use Altavista search

    • Sites that were hacked were done using an .htaccess user agent redirect. In a strange twist, IIS' web.config does not have that particular feature (well, with plugins, but not by default) so IIS is by-and-large not affected by this hack. Most of the sites had an .htaccess file that was writeable, in fact, many were chmod 777. Many CMS auto-upgrade scripts and url-rewrite plugins require a chmod 755 using apache's .htaccess file, but so many people just 777 it.

  • Long Tail (Score:4, Informative)

    by Kolargol00 (1177651) on Friday November 27, 2009 @12:14PM (#30246192)
    The "long tail of search" TFA is referring to is explained in this Wired article [wired.com] and on its author's blog [typepad.com].
  • by HockeyPuck (141947) on Friday November 27, 2009 @12:19PM (#30246236)

    Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

    • by Rogerborg (306625)
      Let me give you a breakdown of Google searches:
      • 75% "naked horny asian gay teen donkey"
      • 12% "american idol"
      • 6% "britney spears"
      • 6% "brittany speers"
      • 1% "technical problems"

      See why it might not be top of their To Do list?

    • by mikael_j (106439)

      Yes, those sites have actually become more annoying than the regular Experts Exchange-like sites that show content to google but not real users, at least those sites have the answer and can generally be tricked in various ways, the sites that just copy mailing lists are useless, especially the ones that "match" a hundred different questions so that they'll always be in the top 10 for a lot of searches yet they don't even have the answers to the questions, just other vaguely related questions.

      /Mikael

      • by colesw (951825)
        As a note, at least for Experts Exchange, you can scroll to the bottom of the page to see the content.
    • by causality (777677) on Friday November 27, 2009 @12:43PM (#30246438)

      Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

      No joke. You omitted one part, however. You'll find the same message thread on 10 or more different sites, true. The part I would add is that in each instance, someone is asking the question but no one has responded with a meaningful answer. Sometimes I have better luck excluding terms like "archive" and "mailing list" from the search results.

      I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own.

      • by CALI-BANG (14756)

        I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own

        seems like experts-exchange.com, living off the contributed answers from its early years.

        i just add -experts-exchange when i search for something.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          For experts-exchange, the answers are at the bottom of the page. Just scroll ALL the way down. Really, try it.

        • Or just become a genius hacker and scroll to the bottom of the ee page, when you go to it! What an “impressive” way of “hiding” the solution from you, while allowing Google to index it, no? ^^

          Protip: If Google shows it, it’s in the page! If it does not help to scroll, turn of the style(s| sheets) and JavaScript.

          • And set UserAgent to Googlebot 2.1. But don't leave it that way using google services. It gets scared and hides behind a sorry page.
    • Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

      The problem I have with Googling technical problems is that the 10 sites that do show up often have all the wrong information.

      I was searching for info on converting latin1 to utf8 to make a similar point, and I went through almost all the top 100 results before I got to a post that mentioned you needed to convert the content INSIDE the database as well...and that post didn't even mention how. There are about 20 Wordpress scripts that convert the databases from latin1 to utf8, but do so by converting the dat

    • I despise sites that simply reproduce content from forums or mailing lists like that.

      Which is why whenever I find one with my comment on it I immediately send their host a DMCA take down.

      Finally a good use for the DMCA :P

    • by BillX (307153)

      Be thankful, those at least have some chance of having an answer to the technical problem, even if there are copies scattered all over. Outside of the "program x barfs cryptic error message y"-type queries, my results for any search containing a vaguely technical/engineering term all start with "System and method of..." I've actually started adding -patent to my queries to not have to click past the 3 pages of junk patent applications that somehow manage to claw their way to the top of the listings.

  • by mikael_j (106439) on Friday November 27, 2009 @12:29PM (#30246324)

    This could possibly be the only time one of the retarded things our company-wide firewall did turns out to be right, it strips all referrer headers from HTTP traffic (which has caused me endless pain since some of my work involves said headers).

    Of course, it still blocks all "application/---" MIME types which makes no sense and has caused even more issues (apparently anything with a MIME type that starts with application/ is a dangerous executable and must be blocked).

    /Mikael

  • I get what these extortion-ware programs are. I've removed a few from my various relatives windows machines with malwarebytes and 1 other program (it's funny how no 1 program seems to be able to remove these vicious buggers). What I don't understand is how these a$$holes are getting their money. So the last time it happened to my uncle I told him to pay. He paid with a visa, waited a week and disputed the charge. It took him a few weeks, but finally got the chargeback, which I'm sure cost the a$$holes so

    • Re: (Score:3, Interesting)

      by cdrguru (88047)

      The problem with the "follow the money" is that nobody with any means to do anything cares. Let's say you track the money to some Netherlands bank and find the guys running it. Local law enforcement, acting on your behalf, says "Gee, American sucker lost money. So what?"

      UK, Ireland and Australia might care. Most other places you would need to hire a local lawyer and sue them in local court because local law enforcement just isn't interested. And if you get into places like Romania or Bulgaria you find

  • "Windows is a vulnerable POS" "New virus/trojan/worm affects Windows" "Every Windows computer can be assumed to be compromised, trojan-laden, and part of some botnet thats either being used to compromise other Windows machines, capture the user's personal information and/or to pump out anonymous spam".

    Assume these as static truths. Eg, not 'news'.

    Now what would *really* be news, is if a day went by and there wasn't some new compromise/attack/vulnerability affecting Windows machines.

    I live in hope that somed

    • Re: (Score:2, Insightful)

      by dskzero (960168)
      News would be that no one takes time to complain about windows whenever some new vulnerability is discovered. I'm willing to be that if any one linux distribution was used as much as windows, the story would be different.
      • Ah I see you subscribe to the 'popularity myth'.

        Thoroughly debunked here:

        http://www.desktoplinux.com/articles/AT5785842995.html [desktoplinux.com]

        • by dskzero (960168)
          First off, you missed the point of my reply. It was meant to show that anything popular will have its fair share of detractors, not that Linux is as insecure as Windows and would have as many security problems. Put the gun back into your holster. Second, that's one of the most biased articles I've ever read: No surprise when the one who wrote it is named "Roaring Penguin", and the website is desktoplinux.com. If something's keeping me from loving linux, it's the rabid fanboys trying to convert me, screamin
  • But I just shrugged these off as random malware.

    Blogs are going to be another morass of evil, because of so many that just regurgitate/copy/mimic each other, the insecurity problem, and the general lameness of nobody saying nothing.

    And Google gets to look good on this, which is not really making me feel warm & fuzzy.

  • Interesting timing (Score:3, Interesting)

    by wwphx (225607) on Friday November 27, 2009 @12:38PM (#30246396) Homepage
    I've had probably 50 people try to register on my message board in the last couple of weeks, mainly from RIPE in Amsterdam and LACNIC in Montevideo. I've considered banning RIPE's IP addresses entirely. The ones that I have approved have been posting your typical porn and Viagra links, I'm not sure if this is exactly the same as I won't follow their liniks to see if it's to blog posts.

    I wasn't sure if there'd been a compromise for SMF boards or if there's a list of low-activity boards that spammers share where my site got listed recently and thus people are trying to post there or what, but I've had to turn on administrator-approval of all memberships, which really ticks me off. I'm thinking about reinstalling my board to change the directory but haven't had time to mess with it.
    • I noticed I've had a bunch of assholes running into my CAPTCHA wall for my PHPBB board.

      • by wwphx (225607)
        I originally had my board set to the applicant doing a medium CAPTCHA and verifying an email. I'm not sure if there were people on the other end authenticating to get in and post spam, or if there was an exploit with SMF that let them bypass part of the login authentication with a hack.
  • Bing! (Score:3, Funny)

    by blackfrancis75 (911664) on Friday November 27, 2009 @12:41PM (#30246422)
    Those guys at Bing have been busy.
    (I know the trojan targets Windows - I say it's a hit they were willing to take)
  • I noticed (Score:3, Interesting)

    by HangingChad (677530) on Friday November 27, 2009 @12:45PM (#30246456) Homepage

    One of my sites got hacked, along with a bunch of others on Inmotion Hosting. Inmotion tried to claim the user client machines were compromised and all the hacks were just FTP connections, but I don't believe that. It could have been related to an older version of phpbb I was running, but it didn't originate with my desktop.

    The hack added thousands of links to almost every html file in the site, pages and pages of links, and set up rogue directories packed with thousands of html pages (2,147 in one directory). Took me days to clean all that crap out. What was amazing was the sheer scope. Thousands of websites all around the world compromised within a few days of one another and massive cross-linking network set up. It would take a big team to do that legally.

    It's hard to blame Google for an organization going to that much trouble to game the system. I thought I ran a pretty secure site and it's hard to blame the host.

    Here's the head scratcher for me. These people obviously have a very broad base of technical skill and resources. Imagine if they applied that talent to something legal. What's the payoff for all the trouble of building the link network? Do they make more doing this than setting up something legal?

    • by Spad (470073)

      I've read quite a lot of articles about these link farms and associated spam emails, some are designed to spread malware to create botnets which can then be resold á la CPU time on supercomputers and others are designed to send traffic to websites of dubious repute such as Canadian Pharmacy. Some of these sites pay a shitload of money to people who can refer traffic to them, claims of $100,000 a day being made by some of these link spammers.

      There's a whole economy around spam, website hacks and malware

    • Do they make more doing this than setting up something legal?

            short obvious answer, yes.

  • Been a lot longer than 6 months, I've been seeing these things on end user machines for over a year.

  • by Animats (122034) on Friday November 27, 2009 @02:21PM (#30247312) Homepage

    The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.

    Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" [sitetruth.net] - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.

    We, of course, run SiteTruth [sitetruth.com], as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.

    (We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)

    • If Google filtered out all spam blogs, their revenue would decline.

      And this, children, happens when you sell your soul to the golden cow.
      There always comes the moment when you have to choose, if you will walk over dead bodies, for it.

      As if there were no bigger ideals and goals to follow, than money, money, money...

  • I use all the same things that fellow geeks tend to use...Adblock Plus, NoScript, host file, etc. They work great for me but for the average person (family, friends, customers, etc) I find that a few minutes of explaining the existence and nature of the 'dark side', combined with the addition of a few basic measures keeps most of the crap at bay with little effort on their part. From speaking to them on a regular basis (I've been driving around fixing home and business machines for over 5 years now (3-5 cal

  • ...targeting my “long tail”?

    Oh... with badware? Well then, no thanks. ^^

  • I encountered this over a year ago. In the summer 2008, to be exact. A large academic publisher's website was hacked to redirect to malware when seeing "google" in the REFERER string, yet function normally otherwise. It has taken me a day to realize it wasn't Google's or my computer problem. It has taken me two or three emails to a journal editor over a couple weeks to have the site webmaster finally notice and believe it was his server responsible and not something else. Half the traffric was hijacked, yet
  • webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity.

    How do they notice it then? Complexly?

    You can't expect words to mean the same thing when you string them together out of order.

"Hello again, Peabody here..." -- Mister Peabody

Working...