Archive for the ‘SEO Poisoning’ Category

Do we really want better spam detection on social networks?

Thursday, December 15th, 2011

by Daniel Peck, Research Scientist

The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better.  But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them.  Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio?

Websites who’s only content is related to spam didn’t get many hits.  This led spammers to move to Search Engine Optimization techniques, which have had a good run are still fairly effective, but more often than not spam sites are full of legitimate content harvested from other sites.

I suspect, and have seen several examples, that the same trend is taking place in social media.  We build systems that force spammers to put more “real” content into the stream, so that they don’t immediately out themselves. These fake accounts contain plenty of retweets of popular stories, and shared links on facebook with a bit of “hey, what a great deal on shoes” or “click here to see my naked” thrown in here and there.

Times are changing here too, sharing too many popular things also indicates than an account is a spammer, or at the very least a much less valuable node in the network.  So the next step is wholesale copying of real peoples profiles, complete with pictures of their cat, a bizzaro you with everything from your facebook account duplicated on another network, such as tumblr or google+, with an occasional spam or malicious link thrown in.  The kind of place where friends will eagerly add you, because everyone needs to be connected to every one of their friends through every medium possible of course, and not think twice about clicking on the malicious link that bizzaro you just shared out.

Besides being quite a blow to the privacy of the accounts being copied, this also reduces the trust that anyone can put into a user, which may not necessarily be a bad thing from a security point of view, are we making a problem that’s cosmically easy to spot for end users, such as the endless number of Nigerian prince scams, morph into something that is much more difficult for the end user to distinguish from real content?  Are we moving towards an advertorial world where the signal and the noise are nearly impossible to separate?

When it comes to advanced vulnerability discovery and exploitation techniques I am all for raising the level of discourse and seeing talented researchers raise the bar for attack and defense alike, but with something like this I’m not so sure.  Maybe it’s best to keep the bar low with regards to detection/blocking on social media and focus on securing APIs and the data they access, understanding that its better for those with less benevolent intent to pull out a few weak individuals from the herd than to give them incentive to find methods to take the whole.

Share

Posted in SEO Poisoning, Social Networking, Spam, Uncategorized | No Comments »

Fake AntiVirus Scams Add MacOS Support

Thursday, May 19th, 2011

by Luis Chapetti & Dave Michmerhuizen – Security Researchers

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

Fake Antivirus that mimics Windows

 

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Fake antivirus that mimics Macintosh

 

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Malicious link in Google results

 

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Share

Tags: , , , , ,
Posted in Security, SEO Poisoning, Uncategorized, Web Security | No Comments »

Cyber criminals continue to capitalize on current events – Osama Bin Laden dead!

Monday, May 2nd, 2011

by  Nidhi Shah, Security Researcher

Along with media, homeland security and Al-Qaeda supporters, another group of people got to work immediately after Osama Bin Laden was killed: malware authors. This is not surprising given malware writers propensity to take advantage of the day’s current events as a way to reach the largest number of eyeballs and victims.

This news is no different. We noticed multiple campaigns taking advantage of the news within hours of its announcement. One such campaign showed up on Facebook offering a video of the killing:

 

Wall from account spreading fake videos

 

Clicking on the link leads the user to a fake blog with video, which in turn requires the user to “Like” it in order to get to the video. However in doing so (“liking”), the user is authorizing the malware to post on his/her wall and fill it up with other “Like” messages that were never authorized. “Like” messages are shared automatically via the Facebook newsfeed on a user’s network; therefore, these messages quickly become viral and spread via trusted channels.

Newsfeed from victim account

 

There are multiple other campaigns taking advantage of this news and also creating new related headlines to get more attention. Like this campaign (again on facebook):

Wall from another account trying to promote sites with fake headlines

 

Clicking on that link will lead you to the blog full of such fake headlines.

Blog from fake headline campaign

 

While this one did not directly lead to any malicious impact, clearly the headlines are fake. That leads us to believe that we might have encountered it while malware authors were still in the process of preparing their next malicious campaign. Or that they could be taking advantage of current events and user curiosity for increasing search engine ranking for these pages.

Our advice to readers is to be cautious while browsing the Web to look for more details related to this event and any other major news in general. We recommend visiting the major news channels directly to get more information rather than click on links in Facebook or Twitter, even if they are seemingly posted by friends or trusted sources.


Share

Posted in Purewire Trust, Research, Security, SEO Poisoning, Social Networking | No Comments »

Email Spam Drops by Half While Search Engine Malware Increases 50 Percent and Twitter Crime Rate Rises 20 Percent During 2010

Thursday, March 3rd, 2011

From: Barracuda Labs [PRESS RELEASE]

Barracuda Labs Issues 2010 Annual Security Report; Launches New, Free Profile Protector to Protect Users against Malicious Threats on Facebook and Twitter

Campbell, Calif., March 3, 2011 – Barracuda Networks Inc., a leading provider of content security, data protection and application delivery solutions, today released findings from its 2010 Annual Security Report which indicates attackers are making a shift from using email spam to more aggressively targeting the Internet. Email spam dropped by half during 2010, while search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. To help combat this, Barracuda Networks today announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. Profile Protector is available at http://profileprotector.com/.

“Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.”

Searching for Malware
Barracuda Labs conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google.

Key highlights from the search result analysis include:

  • In June 2010, Google was crowned as “King” of malware, turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. As malware spread across the other search engines, the ratios were distributed more evenly by December 2010, with Google producing 38 percent of overall malware; Yahoo! at 30 percent; Bing at 24 percent and Twitter at eight percent.
  • The amount of malware found daily across the search engines increased 55 percent from 145.7 in June 2010 to 226.3 in December 2010.
  • One in five search topics lead to malware, while one in 1,000 search results lead to malware.
  • The top 10 terms used by malware distributors include the name of a Jersey Shore actress, the president, the NFL and credit score.

The Dark Side of Twitter
Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.

Key highlights from the Twitter research include:

  • In general, activity continues to increase on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • The number of True Twitter Users increased to 43 percent, up from only 29 percent in June 2010.
  • For every 100 Twitter users, 39 have between one and nine followers, while 50 percent of Twitter users have more than 10 followers.
  • Approximately 79 percent of Twitter users tweet less than once per day.
  • After decreasing at the end of 2009, the Twitter Crime Rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent.
  • Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals.

To view the complete Barracuda Labs 2010 Annual Security Report and the company’s security portal, please visit http://barracudalabs.com.

Protecting Profiles on Facebook and Twitter
Barracuda Labs also announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter and is available at http://profileprotector.com/. The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds.

About Barracuda Networks Inc.
Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions.  The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 130,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions.  Barracuda Networks is privately held with its International headquarters in Campbell, Calif.  For more information, please visit www.barracudanetworks.com.

Resources:
•    Download the Barracuda Labs 2010 Annual Security Report at http://www.barracudalabs.com/research_resources.html.
•    View the Barracuda Labs security research portal at http://BarracudaLabs.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:
1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.
2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.
3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

#  #  #

Share

Posted in Research, Security, SEO Poisoning, Social Networking, Statistics, Web Security | 1 Comment »

Scammers Cashing in on Facebook ‘Un named’ App Hoax

Saturday, January 30th, 2010

Posted by: Barracuda Labs

On Wednesday, a seemingly harmless application listing glitch sent numerous users into believing there was a Spybot attack ongoing on Facebook. Due to the bug, an application listed as ‘Unnamed App’ appeared in some users’ application settings. Some of the users took this as the presence of a spybot which would steal their account details / passwords and perform malicious activities on their computer. Those users warned other users about it and hence the word about ‘Un named App’ spread like a fire in few hours.

Ultimately, this was a harmless bug; however, curious users turned to Google to learn more about it, and scammers saw this as a golden opportunity. The scammers soon harnessed the search query ‘unnamed app’ and poisoned search results to include sites that would redirect users to a Rogue AntiVirus serving site instead. This has become a very popular technique used by scammers in the past few months.

Clicking on search results titled ‘Unnamed App’ redirects user to Rogue AV:

Scam artists also attempted to hide from the research community by selectively redirecting only users who visited straight from Google by clicking one of the search results. Visitors (mostly researchers) who attempted to go to the malicious search result directly were redirected to http://www.cnn.com instead.

There are multiple ways to achieve this. In this case, attackers reviewed the referrer-header to check from where the user came.

Hence what was seemingly a harmless bug, was still able to perform some damage to the innocent users’ browsing experience today.

Users of the Barracuda Purewire Web Security Service are protected from this attack.

Share

Posted in Research, SEO Poisoning, Web Security | No Comments »

Yet Another Reputable Site Asks You to Install Rogue AV

Friday, December 18th, 2009

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

Share

Posted in Research, Security, SEO Poisoning, Web Security | No Comments »