CyberInsecure.com

Archive for the ‘Google’ Category

Spammers, in their recent tactics, have targeted Google’s well-known blog publishing system “Blogger”/”Blogspot”, following the previous attacks on Microsoft’s Live Mail Anti-CAPTCHA, Google’s Gmail Anti-CAPTCHA and Microsoft’s Live Hotmail Anti-CAPTCHA services.

The automated bots are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services. In the current attack, accounts using anti-CAPTCHA operations at Blogger get registered, and few lines of script or code is used to refresh the account, thus directing the user to the actual spam domain.

For spammers, there could be few main advantages to this approach. A free to sign up where accounts can be used as redirectors or doorway pages to spammers’ domain(s). Spammers include these redirecting accounts in different spam campaigns rather than including their actual spam domains and use this tactic to defeat a range of anti-spam services.
These redirecting or doorway page accounts can also be used in multiple mass-mailing campaigns for subsequent attacks.
Another advantage is the difficulty to keep track of these accounts as millions of users worldwide are using Google’s Blogger services on a regular basis.

The entire automated process in is built of two stages. First, predefined instructions from the CAPTCHA breaking host injected on to bot infected or victim’s machine. Instructions are used as templates, with varying account credentials and spam domain redirecting script. Second, bot infected or victims’ machine performing tasks are per pre-defined instructions. Spammers are trying to improve the Anti-CAPTCHA techniques and performed validation checks are sent to their email addresses.

These accounts could be used by the spammers at any time for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites.

Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim’s Google mail account. Google has now plugged the vulnerability, discovered by security researcher Billy Rios. A Google cookie is valid across all its sub domains, a convenience factor that greatly enhances the potential for mischief.

This particular XSS vulnerability on Google’s domain takes advantage of how IE determines the content type of the HTTP response being returned by the server. Other browsers have problems in handling content-type headers properly, but this vulnerability is limited to IE.

Rios created a spreadsheet which contained HTML and a string of JavaScript code for viewing a user’s cookie. He then saved this spreadsheet and generated a link for the spreadsheet to be served as a text-based CSV file, which IE mistakenly interprets as HTML.

Anyone viewing this doctored spreadsheet would hand over their cookies to Rios, or potentially an attacker. Fortunately, Google has now rendered crafted table content as text rather than HTML.

Google might allow Brazilian police to access 3,261 private photo albums on social networking website Orkut, which may contain child pornography. This move is part of a strategy announced by the head of the company in Brazil, Alexandre Hohagen, to a Senate Committee set up to investigate cases of paedophilia in the country. In the last two years nearly 90 percent of the 56,000 complaints in Brazil about net-based paedophilia were linked to the website. Until September 2007, all requests for information about users suspected of crimes such as racism or paedophilia were sent to Google US to be examined.

Every time abuse is reported within Orkut, the administrators must immediately delete the images, destroying the proofs. The company is working on a collaboration between Brazilian authorities and the US organization.

The private photo albums, considered by some as a safe haven for criminals, were introduced in November 2007, and allow users to block access to the pictures by anyone outside their direct network. They were created to protect the privacy of those who didn’t want personal pictures to be seen by anyone and it is being well used by the majority of the users. Google apparently has no plans to disable this option.

Thousands of users are experiencing problems receiving e-mail from Gmail users recently. Over the past month, major anti-spam vendors have had to apply scrutiny to Gmail in a way they haven’t had to before, and the result is reduced delivery performance and sometimes outright blocking of Gmail. Some messaging hosts are being instructed to reject SMTP connections from Google.

The reason is defeated CAPTCHA for Gmail that was announced in February. According to sources around the anti-spam industry, the result has been a marked increase in spam originating from Gmail SMTP servers. Some say the spam increase started even earlier.

A support analyst with MessageLabs, a major provider of software-as-a-service anti-spam filtering, said that “some spammers have hacked into the Gmail captcha system, and were able to relay spams appearing to come from Googlemail’s IP addresses. This has caused many IPs of theirs to appear to be sources of spam.” For their customers, this means a decrease in performance. “We have a traffic-shaping system that throttles IPs that we believe to appear to be a source of spam. The result is that for the past couple of days we have been seeing issues like this with Gmail,” the analyst concluded.

Gmail has sent out a lot of spam recently, and they are registering on traffic shaping systems. When spam is sent out over a Gmail relay, that relay can sometimes get completely blocked, causing problems for thousands of legitimate Gmail users. MessageLabs then has to throttle only the SMTP relays that are spamming.

Blocking problems has been verified, as well as extremely long delays in delivering messages. Delays of four hours and up to 24 hours have been seen. The problem can be maddening because not all Gmail relays are affected. Hence you may be getting some e-mail on time, while others aren’t coming through. Even some corporate Google e-mail has been blocked.

Postini (which was acquired by Google last year) anti-spam filtering service does not appear to be affected at this time. Purely client-side filters such as SpamBayes are also not affected.

The damage currently appears limited to select SaaS filtering solutions, such as MessageLabs and Antigen. There are unconfirmed reports from Microsoft as well. A source at another anti-spam company who wished to remain anonymous did say that Google can expect more problems if the CAPTCHA crack cannot be stopped. His product team was already working on the issue, but they were unsure how best to handle it.

Google News search results are currently infected with spam pages from a hacked authority blog (maybe even blogs). A simple search for “migraine” in Google News will show about 120 results with links to “cialis” spam from a folder containing specially generated spam pages from blog.oup.com (Oxford University Press Blog). The results are supposed to be sorted by “relevance”. Do not click on the search results, those pages might contain exploits that can infect your PC via the browser (usually Internet Explorer). Click here for a screenshot.

It seems that not only Oxford University Press Blog was hacked and spam pages were added, but Google News mechanism added those pages without verification since they are hosted on a trusted news domain, at oup.com. The reason is, of course, an old Wordpress blog version with a vulnerability that got exploited.

More keywords will trigger the same response from Google News. Some keywords are “Osteoarthritis”, “anxiety” “osteoporosis”, “blood pressure”, “viagra”, and many others.

Regular Google search for blog.oup.com shows some interesting results as well. It seems that the folder /wp-content/themes/default/images which normally contains pictures for the blog, currently contains an extra folder called “ph” where all the spam pages are located. Click here for a screenshot.

Spam pages are promoting “Trusted Pharmacy” and it obviously worked out for Google News, since those pages were added right away into news search results. Google’s filters have not picked up infected blog since the blog is a verified source of news and, most likely, all of the content from the domain blog.oup.com is trusted. Not only that, somehow those spam pages were categorized as “relevant” to the searches in question.

It seems there is a need for a ranking mechanism that takes into account not only the reputation of certain source but also verifies that the source was not hacked and spam/infected pages are not injected into Google. Our trust in Google’s “safe for visit” filtered News results becomes more and more important. Unlike web search, which can be indexed, filtered and updated over the course of months, the news index has to be extremely fresh; for this reason, algorithms like PageRank cannot function properly and thats the reasons no verifications are made to websites once approved as trusted.

UPDATE: Senior Customer Service Rep from Oxford University Press has put a ticket in their systems support group to investigate this issue. Hopefully this hacked blog will be taken down by Oxford University Press soon.

A massive IFRAME injection attack, which stared last week, is slowly turning into a large scale web application vulnerabilities audit of high profile sites. Last week Symantec has rated the attack as medium risk, StopBadware and US-CERT issued a warning about the incident. After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices.

The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. High profile websites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants. Some of the websites attacked:

USAToday.com, ABCNews.com, News.com, Sears.com, Circuitcity.com, Target.com, Packard Bell.com, Walmart.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Google is actively filtering the results and removing the cached pages on number of domains. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we’re definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections.
(more…)

Researchers from MarkMonitor, a brand-protection firm, compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities - mostly PHP-based sites. Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to the research. Among other activities, MarkMonitor tracks phishing attacks that target brand names.

MarkMonitor found that 75 percent of the phishing sites it had discovered had been originally tracked down using one of the list of 750 Google search terms. The finding was based on a sample of one-quarter of the phishing sites logged by the firm.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code, counterfeit web pages (phishing) and spam redirection “doorways”, as part of the scam. Search terms, are actively traded on internet forums, and are routinely scanned by IRC-based “bots”, which also scan Yahoo and AOL Search results, according to MarkMontitor.

Google has already made moves to block automated exploitation, but they can still be used manually. The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs.

Auction sites are the biggest targets, accounting for 44 percent of the phishing emails in the fourth quarter, up from 36 percent in the first quarter of 2007. In the fourth quarter of 2007, 412 organisations were targeted by phishing attacks, up 37 percent from the same period in 2006, according to the firm’s brand-jacking index, published last month.

There currently is a working method to knock a website out of Google’s search engine results. To understand this exploit, you should first know (or read) about Google’s Duplicate Content Filter. Since nowadays Google dumps duplicate sites in Google’s Supplemental Index, there is a way to make Google think that YOUR site should be removed from the index.

If someone copies your websites homepage and manages to convince Google that the copy is actually the original one, your homepage will get tossed into the supplemental index, and most likely will never get back into the Search Engine Ranking Pages again. If it will, it will take somewhere between 2 to 6 months.

When someone copies your website, Google will index that copy and correctly determine that it’s a duplicate. Google knows about 2 pages that it knows are complete duplicates, and now it has to decide which to dump in the supplemental index, and which to keep in the main one. Problem is, Google cant tell which is the original and which is the copy.
They have some clever algorithms to work it out, but even if they are 99% accurate, that leaves a lot of problems for that 1% of times they can get it wrong.

Another problem is that web proxies which send out spiders, just like Google, spider your page, take your content, and then they host a copy of your website on their proxy site, so that when their users request your page, they can serve up their local copy quickly rather than having to retrieve if off your server. The big issue is that Google can sometimes decide that the proxy copy of your web page is the original, and yours is not.

There are some evidences that people are deliberately and maliciously using proxy servers to cache copies of web pages, then using normal (white and black hat) Search Engine Optimization (SEO) techniques to make those proxy pages rank in the search engine, increasing the likelihood that your legitimate page will be the one dumped by the search engines’ duplicate content filters.

Most of the time, proxy spiders actively spoof their origins so that you don’t realize that it’s a spider from a proxy, as they pretend to be a Googlebot for example, or from Yahoo, or regular human users with IE or Firefox.

There are few possible defense solutions, depending on your web hosting technology and technical competence:

1 - using php and the .htaccess file and checking for search engine, not allowing some spiders and proxies but it will work only against proxies/spiders/bots that are identifying themselves correctly. If you are using MS Windows and IIS on your server, or if you are on a shared hosting solution that doesn’t give you the ability to do anything clever, it’s an awful lot harder and you should take the advice of a professional on how to defend yourself from this kind of attack.

2 - If you are running a PHP or ASP based website, set all pages robot meta tags to noindex and nofollow and implement a PHP or ASP script on each page that checks for valid spiders from the major search engines, and if so, resets the robot meta tags to index and follow. The important distinction here is that it’s easier to validate a real spider, and to discount a spider that’s trying to spoof you, because the major search engines publish processes and procedures to do this, including IP lookups.

Recently Google Adwords and Google Adsense users are receiving phishing emails which appear to be from Google.

When you try to click on URL in email body you will be redirected to fake Google Adwords website and asked for user name and password. The information will be sent to malicious users who might try and abuse your account for their needs. Moving your mouse over the URL in the email will show you it’s a fake .cn domain. This fake website looks like the real Google Adwords website but there is no SSL cetrificate (no https:// in the URL, just http://).

The email looks like it has been sent from adwords-noreply@google.com address and the message subject is “Please Update Your Billing Information”. Message body says “Dear Google AdWords Customer! In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information.”

In case you are a Firefox user, you might get a warning about the site you’re about to visit.

BitDefender(R), a provider of antivirus software and data security solutions, announced today that BitDefender antispam analysts have detected that Nigerian scam spammers are using Google Calendar to target their victims.

Nigerian scammers are sending meeting invites in Google Calendar, which are actually nothing but scam “hooks”. All emails are sent personally to different Google Calendar users and got a different link for each recipent, making spam/abuse URL filtering harder. The scam works by informing the victim that they have inherited or are otherwise due a large amount of money from an unlikely source. The spammer then tells the victim to extract the payment in order to “set up the delivery” of the said large sum. Google support has been notified to block the accounts used in the scam.

BitDefender CTO, Bogdan Dumitru, says this is a new and untried social engineering approach. The fact that these things are being spammed in huge numbers is a bit odd. Usually there is a testing phase, to evaluate the response rate. After some testing, some techniques are found ineffective and never get used again. This one’s different.

The new spam wave was detected two days ago by BitDefender antispam analysts and is already added to the spam signatures base. BitDefender users are guarded from this type of aggravation.