Cybercriminals Catch the Olympic Fever Early On

There is no doubt that athletes all around the world are training hard to compete at the London Olympics in 2012, but cyber criminals seem to be gearing up for the event as well. Even with over 400 days still to go until the Olympics, we have already started seeing search terms related to this event returning a large number of poisoned links. As we have observed with search engine optimization (SEO) poisoning in the past, these poisoned links redirect to rogue antivirus sites.

The following are the top 10 poisoned search terms:

We have also found dozens of other poisoned search terms related to Olympics tickets, mascots, offers, and so on. Below is a screenshot of the search results for the term “london 2012 stadium diagram”; Norton Safe Web indicates that all of the first 10 links are malicious:


These URLs redirect to malicious content only when you click on the link from the search engine result page—a benign page is presented when you navigate to these links directly. We found the fake pages created by scammers to contain Olympic-related text, images, and links to other fake pages. These pages are presented to the search engine bots for indexing, and all of these images are hot-linked from reputable news sites. The presence of images on these pages suggests that these sites are being used to poison image searches as well.

Below is a sample page presented to the search engine bot for indexing:

Once a user clicks on the search result link, he or she is redirected to a fake online scanner that asks the user to download rogue antivirus software:

In this case, the user is tricked into installing the rogue antivirus XP Total Security 2011, which pretends to scan the system and shows a huge list of threats to be "fixed":

During the course of the year leading up to the big event, we expect to see many more Olympics-related search terms being used by cybercriminals to push rogue antivirus software. We have already found over 300 compromised sites used in this campaign over the past week. We recommend that users stick to legitimate news sites, and keep a look out for domain names that appear to be unrelated to the news being searched for. Symantec customers are already protected from this attack with IPS, AV, and Safe Web technologies.

Defending against SEO poisoning attacks with Layered Protection

The use of search engine optimisation (SEO) in malware distribution has been discussed many times on this site. In most cases, the attacks are used to redirect unsuspecting users to scareware (fake anti-virus) sites, where they are tricked into installing fake AV. The attacks have historically been Windows-specific, but recently we have seen the attackers targeting Mac users as well.

From the attackers’ point of view, a crucial part of any web attack is about controlling the user traffic. There are several ways of achieving this, one of
the more effective being compromising legitimate sites (injecting web pages with some silent redirect). Whilst this still remains an effective way of
capturing the user traffic, SEO has undeniably grown in popularity. As we highlighted in a previous technical paper, there is no technical barrier for SEO to be used in malware distribution, primarily due to the use of kits that facilitate the construction and management of the SEO sites.

Recently we have been tracking a fresh burst of SEO attacks that appear to be successfully capturing a lot of user traffic. The kit being used in these
attacks has already been well described, so I will not repeat that information here. Instead, what I hope to reveal are the various stages of the attack and where Sophos protection fits in.

Sites hosting the SEO pages

The SEO pages used in these attacks are hosted within a large number (thousands) of compromised, legitimate sites. Looking at a sample of the sites hosting the SEO pages that we have seen over the past 24 hours, it is clear that the problem is not isolated, with many hosting providers hit.

I quickly cross-checked this snapshot of compromised sites against the latest Alexa top 1 million data. Just over 50 of the sites feature in the Alexa rankings, with 3 ranking in the top 100,000, one of which is at position 2548! This illustrates the advantage the attackers have in hosting the kit within legitimate sites, piggybacking on their existing positive reputation, thereby making it harder for the search engines to filter.

A question we are commonly asked is what topics/keywords are actually being poisoned? The answer to this is pretty much anything you can imagine (and more besides). The topics we have seen poisoned recently range from the predictable (“Lady Gaga’s shoes“, “Justin Bieber“) through to the more unusual (“ancient Inca masks“, “3D origami skull“).

Attack flow

Users clicking through from the search engine results to one of these SEO pages are redirected to a remote traffic direction system (TDS) server, step 3 in the diagram below. Using the TDS allows the attackers to control the remainder of the attack. In the current attacks, user traffic is being split down at least two paths. In some cases victims are simply redirected to scareware sites, in others they are redirected to exploit sites. For the latter case, the diagram below illustrates the various steps involved in the attack.

The steps are described below:

  1. The attackers win the game of cat and mouse with the search engines, and succeed in getting links to poisoned SEO pages in the search engine results.
  2. A user clicks on one of the links to the SEO page. The PHP script used in the SEO kit determines this is a user that has arrived via a search engine, and simply redirects them to the TDS server.
  3. The TDS server redirects the user again, to a page within another compromised web site.
  4. Another HTTP 302 redirection, this time to the site hosting the exploit script (suspected to be constructed using the Blackhole exploit kit).
  5. The script loaded on the exploit site is heavily obfuscated in an effort to thwart detection. The script is responsible for loading malicious PDF and Java components that exploit several client vulnerabilities.
  6. If any of the attempted exploits succeed, the desired payload will be installed on the user’s machine.

As noted above, these exploit sites are thought to be constructed/managed with a kit known as Blackhole, which hits users with content to exploit several vulnerabilities, including:

  • CVE-2009-0927 (PDF getIcon)
  • CVE-2008-2993 (PDF util.printf)
  • CVE-2007-5659 (PDF collectEmailInfo)
  • CVE-2010-1423 (Java)
  • CVE-2010-1885 (HCP)
  • CVE-2006-0003 (MDAC)

Defending the SEO attacks

As illustrated in the diagram above, there are multiple steps in the infection chain where we provide protection, before the victim is infected with the
payload. In terms of detections:

  • Mal/SEORed-A – block access to the SEO pages containing the poisoned search terms.
  • Troj/ExpJS-BP – block access to the script used on the exploit site.
  • Troj/PDFJS-RL – block access to the malicious PDF files used by the exploit kit.
  • Mal/JavaDldr-B – block access to malicious Java files used by the exploit kit.

In addition to these detections, customers using our reputation data (via the Sophos Web Appliance or as part of Live Protection on the endpoint) will also be protected from these attacks thanks to URL filtering.

The success of these latest SEO attacks is perhaps best illustrated by reviewing prevalence data for the Mal/SEORed-A detection. Looking at a 24-hour snapshot of detections from Sophos-protected endpoints shows Mal/SEORed-A in 3rd place! Clearly the SEO techniques are succeeding in capturing the traffic of an awful lot of users.

Osama bin Laden dead – so watch for the spams and scams

Google’s top-trending Anglophone search term right now is, understandably, “osama bin laden dead”.

Google officially describes its hotness (you couldn’t make this stuff up) as volcanic.

The short version, according to the LA Times, is that bin Laden was tracked to a “comfortable mansion surrounded by a high wall in a small town near Islamabad, Pakistan’s capital.”

For bin Laden, it seems, the comfort is no more. “On Sunday, a ‘small team’ of Americans raided the compound. After a firefight, [President Obama said], they killed Bin Laden.” Apparently, DNA tests have confirmed Bin Laden’s identity.

And there you have it.

Now you know the basics – but watch out for the links you’re likely to come across in email or on social networking sites offering you additional coverage of this newsworthy event.

Many of the links you see will be perfectly legitimate links. But at least some are almost certain to be dodgy links, deliberately distributed to trick you into hostile internet territory.

If in doubt, leave it out!

Sometimes, poisoned content is rather obvious. The links in this spam captured by SophosLabs, for example, give the impression of going to a news site:

The links don’t go anywhere of the sort, of course. Wherever you click, you end up finding out how to replace your tired old windows:

But even well-meant searches using your favourite search engine might end in tears.

What’s commonly called “Black-Hat Search Engine Optimisation” (BH-SEO) means that cybercrooks can often trick the secret search-ranking algorithms of popular search engines by feeding them fake pages to make their rotten content seem legitimate, and to trick you into visiting pages which have your worst interests at heart.

Well-known topics that have been widely written about for years are hard to poison via BH-SEO. The search engines have a good historical sense of which sites are likely to be genuinely relevant if your interest is searches like “Commonwealth of Australia”, “Canadian Pacific Railway” or “Early history of spam”.

But a search term which is incredibly popular but by its very nature brand new – “Japanese tsunami”, “William and Kate engagement”, “Kate Middleton wedding dress” or, of course, “Osama bin Laden dead” – doesn’t give the search engines much historical evidence to go on.

The search engines want to be known for being highly responsive to new trends – that means more advertising revenue for them, after all – and that means, loosely speaking, that they have to take more of a chance on accuracy.

What can you do to keep safe?

* Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.

* Use an endpoint security product which offers some sort of web filtering so you get early warning of poisoned content. (Sophos Endpoint Security and Control and the Sophos Web Appliance are two examples.)

* If you go to a site expecting to see information on a specific topic but get redirected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” dialog – then get out of there at once. Don’t click further. You’re being scammed.