Massive Badware Campaign Targets Google's "Long Tail" 88
A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."
Re:Yet Another Reason (Score:1, Interesting)
Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.
Bogus blogs and duplicate newsfeeds (Score:3, Interesting)
Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.
First good thing about the work firewall then (Score:3, Interesting)
This could possibly be the only time one of the retarded things our company-wide firewall did turns out to be right, it strips all referrer headers from HTTP traffic (which has caused me endless pain since some of my work involves said headers).
Of course, it still blocks all "application/---" MIME types which makes no sense and has caused even more issues (apparently anything with a MIME type that starts with application/ is a dangerous executable and must be blocked).
/Mikael
Economic and Political Solutions? (Score:2, Interesting)
I get what these extortion-ware programs are. I've removed a few from my various relatives windows machines with malwarebytes and 1 other program (it's funny how no 1 program seems to be able to remove these vicious buggers). What I don't understand is how these a$$holes are getting their money. So the last time it happened to my uncle I told him to pay. He paid with a visa, waited a week and disputed the charge. It took him a few weeks, but finally got the chargeback, which I'm sure cost the a$$holes some of their own cash. Of course, during this period of time, the "anti-virus 2009" wasn't actually removed, but was weakened enough for my uncle to hop on the net and download his own malwarebytes and clean his system up. From now on, every time a relative gets this or one of its bastard brothers, I'm advising a "pay now and charge-back a week later" approach. I hope it catches on and the credit card companies, whose love of money has thus far blinded them to the illegal extortion scheme they've been aiding, decides it just isn't profitable to keep moving money for the a$$holes.
Which brings me to my second point. I have a 5 year old son. I explained in simple terms, without analogy what the a$$holes are doing, and HE grasped that it was wrong, so why haven't our law enforcement official done so? I assume without knowing that most of the a$$holes are foreign nationals. FOLLOW THE DAMN MONEY. I can hire a P.I. for $250 who could tell me where the money is going. When the money get's where it's going, have our LEO on the phone with the local LEO and, just a name off the top of my head Hillary Clinton on 3-way, and a DEMAND that whoever got the money start talking. If Hillary can't be bothered, fire the bitch and get someone who can spare 20 minutes to help thousands maybe hundreds of thousands of their countrymen not be extorted. Rinse, repeat as necessary until we get to the BIG CHEESE. Don't extradite, let them be tried wherever they're found, preferably with charges that translate to "screwing with our government's aid deals with the U.S. (there aren't THAT many countries the U.S. isn't funneling money, or at LEAST food too).
Functionally, there isn't much difference between these programs and foreign nationals walking into grandma's house and ripping her computer out and refusing to hand it back without $30. If we can't fix such an obvious problem economically, or politically, then we are left with a 3'rd option. Find them and take them out with drones. I'm not even remotely kidding. I hope it doesn't come to it, but how many of us would bat an eye if it did?
Interesting timing (Score:3, Interesting)
I wasn't sure if there'd been a compromise for SMF boards or if there's a list of low-activity boards that spammers share where my site got listed recently and thus people are trying to post there or what, but I've had to turn on administrator-approval of all memberships, which really ticks me off. I'm thinking about reinstalling my board to change the directory but haven't had time to mess with it.
I noticed (Score:3, Interesting)
One of my sites got hacked, along with a bunch of others on Inmotion Hosting. Inmotion tried to claim the user client machines were compromised and all the hacks were just FTP connections, but I don't believe that. It could have been related to an older version of phpbb I was running, but it didn't originate with my desktop.
The hack added thousands of links to almost every html file in the site, pages and pages of links, and set up rogue directories packed with thousands of html pages (2,147 in one directory). Took me days to clean all that crap out. What was amazing was the sheer scope. Thousands of websites all around the world compromised within a few days of one another and massive cross-linking network set up. It would take a big team to do that legally.
It's hard to blame Google for an organization going to that much trouble to game the system. I thought I ran a pretty secure site and it's hard to blame the host.
Here's the head scratcher for me. These people obviously have a very broad base of technical skill and resources. Imagine if they applied that talent to something legal. What's the payoff for all the trouble of building the link network? Do they make more doing this than setting up something legal?
Re:Yet Another Reason (Score:4, Interesting)
the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs
There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.
I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.
From the article:
Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.
I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.
I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"
The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.
The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account
+INFINITY (Score:3, Interesting)
This is possibly the best post that has ever been made at
I have been wanting the ability to mask HTTP REFERRER [sic sic] since practically Day One of getting on the WWW [and certainly since the first time I ever put a sniffer on the network stack and saw all the personal information that was being given away to God-only-knows whom].
It's hard to believe that it's taken us almost two decades to be able to surmount the single most egregious mistake [ietf.org] that Tim Berners-Lee made in designing [or mis-designing] the web.
Re:Yet Another Reason (Score:3, Interesting)
When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.
I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.
Try turning off Javascript. Or in my case, leave Javascript turned on and use NoScript. I personally add all Google domains to the "untrusted" list of Noscript. For me, there are no redirects of any sort. I get the direct URLs. I can copy-and-paste them into a new tab and it's a direct link straight to the site with no evidence that it came from a Google search. Of course, not using Google's Javascript means that my statusbar is honest about where the link goes, so there's no need to do all of that just to see that there is no redirection taking place.
Removing the redirection alone is half of it. Combining that with spoofing the HTTP Referrer guarantees that the site I visit has no idea how I got there or where I was previously. You should also disallow so-called HTTP Ping because that's just a substitute for redirection and serves the same purpose.
While their search works perfectly for me, successfully doing this may mean not using Gmail or other (non-search-related) Google services. I say that because I imagine you must accept Javascript and probably also cookies from Google in order to use Gmail. Incidentally, I don't accept their cookies either.
On this Linux system, I run my own local SMTP server. I use Fetchmail to (periodically, automatically) grab e-mails from my POP3 mailbox as provided by my ISP. Those are forwarded to the SMTP server on localhost. That server processes them through Spamassassin before depositing the e-mails into my user's mbox-style mail directory. I then use a local POP3 server to serve those processed e-mails to any standard e-mail client. In my case, I use Thunderbird because it can use the Spamassassin data as input to its own spam filtering.
I know that sounds a bit complex but once set up, it just works. I simply fire up Thunderbird like anyone else might do and have no need to concern myself with the chain of events. This provides me with excellent spam filtering and the ability to use Thunderbird's rules to automatically sort my e-mail into convenient folders based on criteria. All of this occurs locally and is fully within my control. None of it requires me to allow Google or anyone else to datamine my e-mail. The only network traffic involved is between Fetchmail and my ISP's mail server; everything else listens on localhost. With a setup like this, I have never felt a need to use Gmail or any similar service -- why would I use those and accept the compromises involved when I can do it myself the way I want? So for me, it's quite easy to just blanket deny all Javascript and all cookies from Google. For people who use many of their services, this probably won't be the case.
Re:Economic and Political Solutions? (Score:3, Interesting)
The problem with the "follow the money" is that nobody with any means to do anything cares. Let's say you track the money to some Netherlands bank and find the guys running it. Local law enforcement, acting on your behalf, says "Gee, American sucker lost money. So what?"
UK, Ireland and Australia might care. Most other places you would need to hire a local lawyer and sue them in local court because local law enforcement just isn't interested. And if you get into places like Romania or Bulgaria you find out that ripping off Americans is legal there.
There just isn't any amount of weight someone in the US can bring down internationally to make local law enforcement do anything about this. No amount of diplomatic pressure is going to be enough, because it is going to come down very simply to being too trivial for diplomats to deal with.
Besides, this isn't happening "in the real world" at all - it is happening on the Internet. Even in the US "the Internet" gets lots of special treatment and enforcement of simple things. Stuff that would result in jail time off the Internet results in nothing at all when the same thing is done involving the Internet.