Attackers Abuse Google to Push Rogueware
Cyveillance said Nov. 16 it has uncovered a search engine optimization poisoning campaign that has impacted more than 260,000 sites.
The scheme targets Google search by getting victims to click on links that are routed to sites that attempt to download malware onto their machines. According to Cyveillance, the common string albums/bsblog/category is found in the URLs for numerous blogs. Inputting that into Google will generate a series of results leading to malicious sites, the company observed.
"Readers can simply copy and paste the destination URL into your browser to direct it to the desired Website; you would be taken to [a] boring but otherwise harmless blog posting like those pictured earlier in this discussion," Cyveillance said. "The attack only happens when the compromised blog site determines that you arrived by way of Google by checking the HTTP referrer."
Only a small number of the sites contained Google's warning that the site is harmful.
These types of black hat SEO schemes are nothing new. Typically, they are tied to news events that attackers know will generate interest and a lot of Web searches. Once taken to the malicious site, the visitor may be tricked into downloading rogue antivirus software or malware.
In the case of the campaign detected by Cyveillance, the infected sites utilize rogue blog publishing software that automatically and regularly publishes new posts with titles such as "las vegas rental no credit check" or "uninvited song lyrics alanis morrissette morissette."
"These posts are intentionally not titled just with simple terms that are very popular like 'Britney Spears,' 'Obama' or 'Paris Hilton' to avoid having to compete in search rankings with the millions of pages which already exist for these topics," according to Cyveillance. "Instead, the authors of this exploit take advantage of the long tail of search, where rare combinations of search terms in aggregate make up a very large portion of the queries made by Web surfers in search engines."
When a user clicks on one of the Google search results, he or she is taken to a "middleman" domain like ionisationtools.cn or moored2009.cn. The server at these domains redirects the user to another site pushing the rogue antivirus software. The middleman domains are live for a day or two and are then taken offline.
The actual fake anti-virus drop sites are found on domains such as:
All these domains observed by Cyveillance were registered with Chinese registrar TodayNIC.com and like the middlemen sites above, these domains are registered one or two days before the inbound Google search traffic will be arriving, suggesting that the software now directing search traffic from the infected websites may know in advance where the drop sites will be in advance.