Massive Badware Campaign Targets Google's "Long Tail" 88
A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."
I don't think Google has a long tail. (Score:1, Offtopic)
But it sure does have a hell of a deep end.
Yet Another Reason (Score:4, Informative)
Re: (Score:1, Interesting)
Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.
Re:Yet Another Reason (Score:5, Informative)
With the web developer toolbar [mozilla.org] you can disable referrers.
Re:Yet Another Reason (Score:5, Informative)
Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.
I use Firefox on Linux with several addons. For the HTTP Referrer, I use an addon called RefControl. I have it set to fake the referrer by default. So if I do a Google search and from the search results decide to click on http://www.someblog.com/blogs/page.html [someblog.com], the Web server does not receive a google.com referrer. The referrer it receives is http://www.someblog.com/ [someblog.com]. The only exceptions are certain Web sites I do business with, because this fake-referrer behavior can break some shopping carts. That particular add-on lets you specifically exempt certain sites and only those sites.
/etc/hosts file is 1.5MB, all of which blocks various ad servers by directing them to localhost. My machine will not accept any references to Google Analytics or various other analytics/tracking services. As a side-effect, all of this makes pages load much faster.
In addition to that, I use Adblock Plus with the Element Hiding Helper and the Easyprivacy+Easylist subscription. I also use NoScript and that alone takes care of many Javascript tricks that redirect or obfuscate the actual destination of a link. I also disable so-called "HTTP PING", which can be done in Firefox under "about:config". My
When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.
I've always felt that if your business model relies on getting information about me against my will, then your business model deserves to fail. I'll add too that the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs. The measures I describe above do not provide real computer security -- they provide human privacy. In this case, however, they make it much harder for the sites in question to target you because their "targeting data" is based on first compromising your privacy.
Re:Yet Another Reason (Score:5, Informative)
the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs
There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.
Re:Yet Another Reason (Score:4, Interesting)
the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs
There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.
I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.
From the article:
Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.
I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.
I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"
The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.
The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account
Re: (Score:3, Informative)
Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site.
This is a good idea, but unfortunately dynamic HTML allows the creation of "windows" within the browser, and there really is no way to limit this without seriously destroying page layout.
Sure, these moveable HTML elements are confined to the browser window, but I think that somebody who would believe that a web site has "scanned" a D:\ drive that doesn't exist and found malware wouldn't notice that a window wasn't "outside" the browser.
Re: (Score:2)
When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.
I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.
Re: (Score:3, Interesting)
When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.
I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.
Try turning off Javascript. Or in my case, leave Javascript turned on and use NoScript. I personally add all Google domains to the "untrusted" list of Noscript. For me, there are no redirects of any sort. I get the direct URLs. I can copy-and-paste them into a new tab and it's a direct link straight to the site with no evidence that it came from a Google search. Of course, not using Google's Javascript means that my statusbar is honest about where the link goes, so there's no need to do all of that ju
+INFINITY (Score:3, Interesting)
This is possibly the best post that has ever been made at
I have been wanting the ability to mask HTTP REFERRER [sic sic] since practically Day One of getting on the WWW [and certainly since the first time I ever put a sniffer on the network stack and saw all the personal information that was being given away to God-only-knows whom].
It's hard to believe that it's taken us almost two decades to be able to surmount the single most egregious mistake [ietf.org] that Tim Berners-Lee made in designing [or mis-designi
Re: (Score:1)
- See the paths people take when browsing a site, and arrange/optimise the design accordingly (generaly to make browsing a site easier)
- See what search engine queries generally land a user at a page, so in the long run the content can be tailored towards what people are actually searching for
I don't
Re: (Score:2)
I just
Re: (Score:2)
Anyone who would actually care about this is also blocking cookies and javascript and won't show up in your web analytics in the first place. Even if ever browser had a prominent "block referrer" option, 90% of people wouldn't bother.
Re: (Score:1, Redundant)
Want that. Is that a released add-on or did you just patch and recompile the source?
Re: (Score:3, Informative)
Want that. Is that a released add-on or did you just patch and recompile the source?
I use the FireFox addon RefControl [mozilla.org] to handle the HTTP Referrer.
Re: (Score:1)
Re: (Score:2)
There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.
Please explain why you'd rather not reveal your referrer data. (New example from TFA aside.)
Working with web analytics, I can say referrer information is extremely useful, and not in a way which would lead you to any downsides, that I can think of at least.
(Not trolling, I'm genuinely interested...)
Re: (Score:1)
Please explain why you'd rather not reveal your referrer data. (New example from TFA aside.)
Maybe if you're embarassed because you still use Altavista search
Re: (Score:2)
Sites that were hacked were done using an .htaccess user agent redirect. In a strange twist, IIS' web.config does not have that particular feature (well, with plugins, but not by default) so IIS is by-and-large not affected by this hack. Most of the sites had an .htaccess file that was writeable, in fact, many were chmod 777. Many CMS auto-upgrade scripts and url-rewrite plugins require a chmod 755 using apache's .htaccess file, but so many people just 777 it.
Long Tail (Score:4, Informative)
Re: (Score:3, Funny)
A surprisingly large amount of people couldn't make the link between Malware and Malicious software.
And an even larger amount of people didn't know what Malicious meant. *facepalm*
Re: (Score:2)
Re: (Score:3, Insightful)
And when you start to lose them just tell them "the evil hackers will plunder their bank account", this will give you about 3 minutes extra attention span.
Re: (Score:2)
Good idea to dumb it down... most of my family or collegues will stop understanding and thus really listening when they hear words like malware. When you want to educate people be prepared to explain it in a simple way they understand, it will save you work later. And when you start to lose them just tell them "the evil hackers will plunder their bank account", this will give you about 3 minutes extra attention span. ;)
I derive no pleasure from saying it, but maybe a plundered bank account is the natural price attached to holding their own security in such low esteem. The way I describe these situations is "if you want my help it's there for the asking, but I am not going to fight you in order to help you." I frankly have better things to do and there are people who would have more appreciation for how my knowledge of computers and networks can help them.
Re: (Score:2)
I agree - but I think its better that they be informed about it at the least. See my parents were under the impression that so long as they never entered their information online it wouldn't be in danger. As such, they had a number of financial records on their computer, which (of course) got infected.
Now, nothing bad has resulted (to our knowledge), and I've lined them up with preventative measures and how to deal with it when it strikes. They didn't really care all that much until I told them that yes, th
Re: (Score:1)
Same thing really - after all, "mal" is "bad"... in Latin
Re: (Score:1)
Re:Badware? (Score:4, Funny)
When did the word badware appear? Is it because some people couldn't cope with Malware?
It's not badware. It's goodware-challenged.
Re: (Score:2)
Good point! It should be "ungoodware" (or, maybe, "double plus ungoodware")
Bogus blogs and duplicate newsfeeds (Score:3, Interesting)
Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.
Re: (Score:2)
See why it might not be top of their To Do list?
Re:Bogus blogs and duplicate newsfeeds (Score:5, Funny)
Great. And now those people will be redirected here. On one hand, it is like cleaning up the internet. On the other hand, you'll get all those pervs to come here and leave comments, drastically reducing the signal-to-noise ratio to basically zer... er, nevermind. Carry on.
Re: (Score:2)
Yes, those sites have actually become more annoying than the regular Experts Exchange-like sites that show content to google but not real users, at least those sites have the answer and can generally be tricked in various ways, the sites that just copy mailing lists are useless, especially the ones that "match" a hundred different questions so that they'll always be in the top 10 for a lot of searches yet they don't even have the answers to the questions, just other vaguely related questions.
/Mikael
Re: (Score:2)
Actually, if you ever fell for one of their "click here to register and see the answer" tricks then they stop showing the answer (until you clear out your cookies).
And it wasn't that long ago that they didn't show the answer to all users, it seemed to be browser-dependent, some user-agent strings would allow you to see the answers while others didn't.
/Mikael
Re: (Score:2)
Re: (Score:2)
I used to have that problem with Safari, I never bothered to check whether it was just some javascript or CSS trickery to hide that part of the page though...
/Mikael
Re: (Score:1)
Re:Bogus blogs and duplicate newsfeeds (Score:4, Insightful)
Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.
No joke. You omitted one part, however. You'll find the same message thread on 10 or more different sites, true. The part I would add is that in each instance, someone is asking the question but no one has responded with a meaningful answer. Sometimes I have better luck excluding terms like "archive" and "mailing list" from the search results.
I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own.
Re: (Score:1)
I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own
seems like experts-exchange.com, living off the contributed answers from its early years.
i just add -experts-exchange when i search for something.
Re: (Score:2, Informative)
For experts-exchange, the answers are at the bottom of the page. Just scroll ALL the way down. Really, try it.
Re: (Score:2)
Or just become a genius hacker and scroll to the bottom of the ee page, when you go to it! What an “impressive” way of “hiding” the solution from you, while allowing Google to index it, no? ^^
Protip: If Google shows it, it’s in the page! If it does not help to scroll, turn of the style(s| sheets) and JavaScript.
Re: (Score:1)
Re: (Score:2)
Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.
The problem I have with Googling technical problems is that the 10 sites that do show up often have all the wrong information.
I was searching for info on converting latin1 to utf8 to make a similar point, and I went through almost all the top 100 results before I got to a post that mentioned you needed to convert the content INSIDE the database as well...and that post didn't even mention how. There are about 20 Wordpress scripts that convert the databases from latin1 to utf8, but do so by converting the dat
Re: (Score:2)
I despise sites that simply reproduce content from forums or mailing lists like that.
Which is why whenever I find one with my comment on it I immediately send their host a DMCA take down.
Finally a good use for the DMCA :P
Re: (Score:2)
Be thankful, those at least have some chance of having an answer to the technical problem, even if there are copies scattered all over. Outside of the "program x barfs cryptic error message y"-type queries, my results for any search containing a vaguely technical/engineering term all start with "System and method of..." I've actually started adding -patent to my queries to not have to click past the 3 pages of junk patent applications that somehow manage to claw their way to the top of the listings.
First good thing about the work firewall then (Score:3, Interesting)
This could possibly be the only time one of the retarded things our company-wide firewall did turns out to be right, it strips all referrer headers from HTTP traffic (which has caused me endless pain since some of my work involves said headers).
Of course, it still blocks all "application/---" MIME types which makes no sense and has caused even more issues (apparently anything with a MIME type that starts with application/ is a dangerous executable and must be blocked).
/Mikael
Economic and Political Solutions? (Score:2, Interesting)
I get what these extortion-ware programs are. I've removed a few from my various relatives windows machines with malwarebytes and 1 other program (it's funny how no 1 program seems to be able to remove these vicious buggers). What I don't understand is how these a$$holes are getting their money. So the last time it happened to my uncle I told him to pay. He paid with a visa, waited a week and disputed the charge. It took him a few weeks, but finally got the chargeback, which I'm sure cost the a$$holes so
Re: (Score:3, Interesting)
The problem with the "follow the money" is that nobody with any means to do anything cares. Let's say you track the money to some Netherlands bank and find the guys running it. Local law enforcement, acting on your behalf, says "Gee, American sucker lost money. So what?"
UK, Ireland and Australia might care. Most other places you would need to hire a local lawyer and sue them in local court because local law enforcement just isn't interested. And if you get into places like Romania or Bulgaria you find
Ho Hum (Score:2)
"Windows is a vulnerable POS" "New virus/trojan/worm affects Windows" "Every Windows computer can be assumed to be compromised, trojan-laden, and part of some botnet thats either being used to compromise other Windows machines, capture the user's personal information and/or to pump out anonymous spam".
Assume these as static truths. Eg, not 'news'.
Now what would *really* be news, is if a day went by and there wasn't some new compromise/attack/vulnerability affecting Windows machines.
I live in hope that somed
Re: (Score:2, Insightful)
Re: (Score:2)
Ah I see you subscribe to the 'popularity myth'.
Thoroughly debunked here:
http://www.desktoplinux.com/articles/AT5785842995.html [desktoplinux.com]
Re: (Score:1)
Re: (Score:2)
Just because most viruses/trojans don't generally go scorched-earth on the host computer doesn't mean your files are secure.
Want you pictures/videos/novels/papers/"goddamn things" to be secure?
Don't store them on a Windows computer.
The point there, was that if some virus did this, millions of people would learn this, and learn it well.
Sometimes learning is painful. Sometimes people don't learn even after repeated lessons.
(And just so you can feel safe, I don't write viruses or trojans. That would require us
Re: (Score:2)
What I think, is that the world could use a wakeup call about monocultures and software monopolies.
Just imagine if people used arc welders or battleships the way MS encourages people to use their computers. The point is its a tool, not a toy or an appliance, and pretending it isn't allows things like that to happen.
Ahah. So that's who's doing it... (Score:2)
But I just shrugged these off as random malware.
Blogs are going to be another morass of evil, because of so many that just regurgitate/copy/mimic each other, the insecurity problem, and the general lameness of nobody saying nothing.
And Google gets to look good on this, which is not really making me feel warm & fuzzy.
Interesting timing (Score:3, Interesting)
I wasn't sure if there'd been a compromise for SMF boards or if there's a list of low-activity boards that spammers share where my site got listed recently and thus people are trying to post there or what, but I've had to turn on administrator-approval of all memberships, which really ticks me off. I'm thinking about reinstalling my board to change the directory but haven't had time to mess with it.
Re: (Score:2)
I noticed I've had a bunch of assholes running into my CAPTCHA wall for my PHPBB board.
Re: (Score:2)
Bing! (Score:3, Funny)
(I know the trojan targets Windows - I say it's a hit they were willing to take)
I noticed (Score:3, Interesting)
One of my sites got hacked, along with a bunch of others on Inmotion Hosting. Inmotion tried to claim the user client machines were compromised and all the hacks were just FTP connections, but I don't believe that. It could have been related to an older version of phpbb I was running, but it didn't originate with my desktop.
The hack added thousands of links to almost every html file in the site, pages and pages of links, and set up rogue directories packed with thousands of html pages (2,147 in one directory). Took me days to clean all that crap out. What was amazing was the sheer scope. Thousands of websites all around the world compromised within a few days of one another and massive cross-linking network set up. It would take a big team to do that legally.
It's hard to blame Google for an organization going to that much trouble to game the system. I thought I ran a pretty secure site and it's hard to blame the host.
Here's the head scratcher for me. These people obviously have a very broad base of technical skill and resources. Imagine if they applied that talent to something legal. What's the payoff for all the trouble of building the link network? Do they make more doing this than setting up something legal?
Re: (Score:2)
I've read quite a lot of articles about these link farms and associated spam emails, some are designed to spread malware to create botnets which can then be resold á la CPU time on supercomputers and others are designed to send traffic to websites of dubious repute such as Canadian Pharmacy. Some of these sites pay a shitload of money to people who can refer traffic to them, claims of $100,000 a day being made by some of these link spammers.
There's a whole economy around spam, website hacks and malware
Re: (Score:2)
Do they make more doing this than setting up something legal?
short obvious answer, yes.
Bogus Antivirus (Score:2)
Been a lot longer than 6 months, I've been seeing these things on end user machines for over a year.
Filtering out the bottom-feeders. (Score:5, Informative)
The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.
Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" [sitetruth.net] - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.
We, of course, run SiteTruth [sitetruth.com], as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.
(We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)
Re: (Score:2)
If Google filtered out all spam blogs, their revenue would decline.
And this, children, happens when you sell your soul to the golden cow.
There always comes the moment when you have to choose, if you will walk over dead bodies, for it.
As if there were no bigger ideals and goals to follow, than money, money, money...
Poor unsuspecting non-geeks...=) (Score:1)
I use all the same things that fellow geeks tend to use...Adblock Plus, NoScript, host file, etc. They work great for me but for the average person (family, friends, customers, etc) I find that a few minutes of explaining the existence and nature of the 'dark side', combined with the addition of a few basic measures keeps most of the crap at bay with little effort on their part. From speaking to them on a regular basis (I've been driving around fixing home and business machines for over 5 years now (3-5 cal
Why is nobody... (Score:2)
...targeting my “long tail”?
Oh... with badware? Well then, no thanks. ^^
Clever social engineering (Score:2)
"Don't simply notice"? (Score:2)
webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity.
How do they notice it then? Complexly?
You can't expect words to mean the same thing when you string them together out of order.