http://pandalabs.pandasecurity.com/archive/tags/The+Work+Buzz/default.aspxTags: The Work BuzzenCommunityServer 2.1 SP2 (Build: 61120.2)http://pandalabs.pandasecurity.com/archive/New-Blackhat-SEO-attack-exploits-vulnerabilities-in-Wordpress-to-distribute-rogue-antivirus-software.aspxThu, 23 Apr 2009 16:50:00 GMTb262f9bf-63e5-46e5-8a14-4069a6997bc7:994Sean-Paul Correll0http://pandalabs.pandasecurity.com/comments/994.aspxhttp://pandalabs.pandasecurity.com/commentrss.aspx?PostID=994 <p><strong></strong>Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular Wordpress blog software.&nbsp; Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week&rsquo;s attack against <a href="http://pandalabs.pandasecurity.com/archive/Targeted-Blackhat-SEO-Attack-against-Ford-Motor-Co_2E00_.aspx">Ford Motor</a>, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results.&nbsp;When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.</p> <p>You can checkout a video demonstrating how this particular attack works below:<br /> <a href="http://vimeo.com/4288832"> </a></p> <blockquote><a href="http://vimeo.com/4288832"><img alt="press play" border="0" height="382" src="http://support.us.pandasecurity.com/blog/pressplay.png" width="506" /></a></blockquote> <p>Both attacks involve a vulnerability in an older version of Wordpress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors.&nbsp;&nbsp; Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at Wordpress to get clarification.&nbsp; </p> <p>In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack.&nbsp; We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers.&nbsp; Here&rsquo;s what we found:<br /> <br /> <a href="http://support.us.pandasecurity.com/blog/tagcloud.jpg"><img alt="Tag Cloud Thumbnail" border="0" src="http://support.us.pandasecurity.com/blog/tagcloud_small.jpg" /></a></p> <p><strong>Song</strong> - Appeared 1303 times <br /> <strong>Software </strong>- Appeared 879 times<br /> <strong>Free </strong>- Appeared 244 times<br /> <strong>Lyrics </strong>- Appeared 210 times</p> <p>Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks.&nbsp; It&rsquo;s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below,&nbsp; PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3.&nbsp; </p> <p><img alt="Rogue AV Growth" src="http://support.us.pandasecurity.com/blog/rogueav_growth.png" /></p> <p>Remember, It&#39;s just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the <a href="http://codex.wordpress.org/Hardening_WordPress">official hardening guide.</a><br /> </p><img src="http://pandalabs.pandasecurity.com/aggbug.aspx?PostID=994" width="1" height="1">SEOBlackhatVideoThe Work BuzzRogue Anti-malware