On Wednesday, a seemingly harmless application listing glitch sent numerous users into believing there was a Spybot attack ongoing on Facebook. Due to the bug, an application listed as ‘Unnamed App’ appeared in some users’ application settings. Some of the users took this as the presence of a spybot which would steal their account details / passwords and perform malicious activities on their computer. Those users warned other users about it and hence the word about ‘Un named App’ spread like a fire in few hours.

Ultimately, this was a harmless bug; however, curious users turned to Google to learn more about it, and scammers saw this as a golden opportunity. The scammers soon harnessed the search query ‘unnamed app’ and poisoned search results to include sites that would redirect users to a Rogue AntiVirus serving site instead. This has become a very popular technique used by scammers in the past few months.

Clicking on search results titled ‘Unnamed App’ redirects user to Rogue AV:

Scam artists also attempted to hide from the research community by selectively redirecting only users who visited straight from Google by clicking one of the search results. Visitors (mostly researchers) who attempted to go to the malicious search result directly were redirected to http://www.cnn.com instead.

There are multiple ways to achieve this. In this case, attackers reviewed the referrer-header to check from where the user came.

Hence what was seemingly a harmless bug, was still able to perform some damage to the innocent users’ browsing experience today.

Users of the Barracuda Purewire Web Security Service are protected from this attack.

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.