PandaLabs : SEO

Swine flu and the Blackhat SEO techniques

Oscar Cavada — Tue, 05 May 2009 11:12:00 GMT

You should be careful when you’re looking for information on the web. Not everything is as it seems, and even more when the Blackhat SEO techniques are so frequently used, which enable malicious websites to be positioned in search engines.

And why not using these techniques with the swine flu subject? Cyber-crooks are aware of this and have started using them. Just look what we found in Google: a search engine which offers information about the swine flu.

When clicking on the results displayed by the search engine, we are redirected to porn sites where we can view videos. However, to view a video we are required to install the last version of a player.

Actually, the file is not a player but an adware program which has been detected as Adware/WebMediaPlayer.

UPDATE:

We’ve tried other searches with this malicious engine.

On the one hand, we’ve tried with words related to antivirus solutions, like “Spyware remover” and different results have been displayed:

When accessing some of them, we’ve been redirected to a website that simulates a fake system scan and warns us that our computer is infected. The purpose of this is to offer us a solution (which is actually false).

On the other hand, we’ve tried with other text strings, like celebrities (Paris Hilton, Angelina Jolie...), mortages, jobs and we’ve been redirected to porn websites as those we’ve previously mentioned when we talked about the swine flu.

We’ll continue researching this and keep you informed if we find anything new about this.

New Blackhat SEO attack exploits vulnerabilities in Wordpress to distribute rogue antivirus software

Sean-Paul Correll — Thu, 23 Apr 2009 16:50:00 GMT

Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular Wordpress blog software. Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week’s attack against Ford Motor, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results. When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.

You can checkout a video demonstrating how this particular attack works below:

Both attacks involve a vulnerability in an older version of Wordpress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors. Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at Wordpress to get clarification.

In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack. We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers. Here’s what we found:

Song - Appeared 1303 times
Software - Appeared 879 times
Free - Appeared 244 times
Lyrics - Appeared 210 times

Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below, PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3.

Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide.

Targeted Blackhat SEO Attack against Ford Motor Co. (Updated)

Sean-Paul Correll — Tue, 14 Apr 2009 08:29:00 GMT

Recently, we have talked about Blackhat SEO fueled Rogue Software Campaigns. Today, we have uncovered a similar campaign with over 1 Million links all targeting the Ford Motor Company.

These attacks work by misleading search engines to falsely promote malicious pages to the top of the search results. Once the user visits one of the malicious sites, they are prompted to download and install a malicious "codec", which then installs the MS AntiSpyware 2009 (softwarefortubeview.40030.exe) Rogue Security Software, which we detect as Adware/MSAntiSpyware2009.

This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand.

I have made a video demonstrating how the Blackhat SEO attacks work and you can see it below:

Partial List of Hijacked Search Terms:

*Update* The SEO attack is starting to switch from Ford to Nissan Motor Co.

Diagram Of A 1998 Nissan Pathfinder Blower Motor
1989 Nissan Pickup Voltage Regulator
2006 Nissan Skyline Gtr Vs 2005 Mustang Gt Cobra Youtube
Where Is The Horn Relay On A 2002 Nissan Sentra
1992 Rear Bumper Nissan Pickup Truck
17 Gold Rims Wheels Nissan Honda Ford Toyota Hyundai
Ford Dealership Car Dealership Beside Iee Nissan Wilson N.c.
We Love rocky ford kansas!
Mustang Gt Or Nissan 350z
Dash Cover Nissan Pickup
1992 Rear Bumper Nissan Pickup Truck
Bumper For 1993 Nissan Pickup
Relay Box On 1991 Nissan Pickup Truck
1997 Nissan Maxima Trunk Emblem
1993 Nissan Truck Door Panels
2007 Nissan Versa Gauges Glow
Nissan Sentra 2004 Horn Location
1994 Nissan Extended Cab Truck Seat
Pic Of 1983 Nissan Truck
1989 Nissan Pickup Truck Engine Check Light Troubleshooting
Fuel Tank Capacity On 1992 Sentra On 1992 Nissan Sentra
How To Install A 1991 Nissan Pathfinder Windshield
Auto Wheel Bearing Replace 1997 Nissan Sentra
Nissan Micra 1.3 Metallic Green
Dimensions And 1998 Nissan Pathfinder
2005 Nissan Frontier Modesto
87 Nissan Pathfinder Nuetral Starter Safety Switch
1990 Nissan Pickup 2400 Motor Recalls
Used Nissan Frontier 2006
Frontier Titan 2006
Ford Ranger
Parkway Ford
Ford Uk
Ford Finance
Mustang Ford
Evergreen Ford
Kayser Ford
Ford Anchorage
Walker Ford
2009 Ford
Rochester Ford
6 Ford Speed Transmission
Ford Scamatic
Sheehy Ford
Ford Commercial
Parr Ford
Ford F8tz3504abrm
1993 Ford Taurus
1993 Ford Tauru
Titan Ford
Luther Ford Fargo
Ford Freestar Problems
Ford Crate Engine
Ford Aftermarket Distributor
Ford Ranger 2008
Ford Falcon Sale
1941 Ford Truck
F150 Ford 2001
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
Ford Window Guards
1960 Ford Sunliner
1960 Ford Sunline
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Ford Taurus Repair
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Grappone Ford
Ford Radio Removal
Ford Expedition Diesel
Ford Parts Catalog
1940 Ford Coupe
1966 Ford Mustangs
Ford Door Lock
Ford Escape Hybrid
1930 Ford Coupe
Ford Parts Look Up
1968 Ford Trucks
1995 Ford F150 Lightning
Joe Machens Ford
1956 Ford Panel
Ford Global Terms
2000 Ford Explorer Overheating
1999 Ford F150 Engine
Ford 6 Cyl
Ford Ranger 4x4
Door 2005 Ford F150
Ford Falcon Futura Sprint
Ford Ranger Engine
Ford Escort Harrier
Ford F150 Used 4x4
1969 Custom Ford Ranger
Ford Truck F150 Forum
Only Ford Expedition Pics
Diesel Ford Ranger
Ford F150 Throttle Body
2001 Ford Escort Reviews
1998 Ford F150 Bumper
1989 Ford Mustang Wallpaper
1939 Ford For Sale
Ford Ranger Directional Rims
2009 Ford Mustang Reviews
Rowe Ford Hyundai
Remanufactured Ford V8 Engines
Ford Ranger 4x4 Automatic

Rogue Information:

File: softwarefortubeview.40030.exe
MD5: 3C146F57FE65BF03CAB8289F31B57618
Detected as: Adware/MSAntiSpyware2009

Registrar and Host Information:

ICANN Registrar:	REGTIME LTD.
Created:	2009-03-17
Expires:	2010-03-17
Updated:	2009-03-31
Registrar Status:	ok
Name Server:	NS1.GLOBEXTUBES.COM
Name Server:	NS2.GLOBEXTUBES.COM
Whois Server:	whois.regtime.net

Server Data


Server Type:	Apache/1.3.39 (Unix) PHP/5.2.5
IP Location	- California - Los Angeles - Coreexpress
Domain Status:	Registered And Active Website

If you have any questions about the attack, you could always reach me on Twitter (@lithium)

Special thanks to Greg Feezel for the heads up on this one!

Blackhat SEO Fueled Rogue Security Campaign

Oscar Cavada — Tue, 24 Mar 2009 16:15:00 GMT

Today we observed yet another Blackhat SEO campaign fueling the distribution of the System Security Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here.

(E.g. One of the hijacked searches)

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software.

Sample hijacked search terms [Full List]:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

This post has been written by Sean-Paul Correll.