CyberInsecure.com

Archive for the ‘Google’ Category

Researchers from MarkMonitor, a brand-protection firm, compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities - mostly PHP-based sites. Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to the research. Among other activities, MarkMonitor tracks phishing attacks that target brand names.

MarkMonitor found that 75 percent of the phishing sites it had discovered had been originally tracked down using one of the list of 750 Google search terms. The finding was based on a sample of one-quarter of the phishing sites logged by the firm.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code, counterfeit web pages (phishing) and spam redirection “doorways”, as part of the scam. Search terms, are actively traded on internet forums, and are routinely scanned by IRC-based “bots”, which also scan Yahoo and AOL Search results, according to MarkMontitor.

Google has already made moves to block automated exploitation, but they can still be used manually. The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs.

Auction sites are the biggest targets, accounting for 44 percent of the phishing emails in the fourth quarter, up from 36 percent in the first quarter of 2007. In the fourth quarter of 2007, 412 organisations were targeted by phishing attacks, up 37 percent from the same period in 2006, according to the firm’s brand-jacking index, published last month.

There currently is a working method to knock a website out of Google’s search engine results. To understand this exploit, you should first know (or read) about Google’s Duplicate Content Filter. Since nowadays Google dumps duplicate sites in Google’s Supplemental Index, there is a way to make Google think that YOUR site should be removed from the index.

If someone copies your websites homepage and manages to convince Google that the copy is actually the original one, your homepage will get tossed into the supplemental index, and most likely will never get back into the Search Engine Ranking Pages again. If it will, it will take somewhere between 2 to 6 months.

When someone copies your website, Google will index that copy and correctly determine that it’s a duplicate. Google knows about 2 pages that it knows are complete duplicates, and now it has to decide which to dump in the supplemental index, and which to keep in the main one. Problem is, Google cant tell which is the original and which is the copy.
They have some clever algorithms to work it out, but even if they are 99% accurate, that leaves a lot of problems for that 1% of times they can get it wrong.

Another problem is that web proxies which send out spiders, just like Google, spider your page, take your content, and then they host a copy of your website on their proxy site, so that when their users request your page, they can serve up their local copy quickly rather than having to retrieve if off your server. The big issue is that Google can sometimes decide that the proxy copy of your web page is the original, and yours is not.

There are some evidences that people are deliberately and maliciously using proxy servers to cache copies of web pages, then using normal (white and black hat) Search Engine Optimization (SEO) techniques to make those proxy pages rank in the search engine, increasing the likelihood that your legitimate page will be the one dumped by the search engines’ duplicate content filters.

Most of the time, proxy spiders actively spoof their origins so that you don’t realize that it’s a spider from a proxy, as they pretend to be a Googlebot for example, or from Yahoo, or regular human users with IE or Firefox.

There are few possible defense solutions, depending on your web hosting technology and technical competence:

1 - using php and the .htaccess file and checking for search engine, not allowing some spiders and proxies but it will work only against proxies/spiders/bots that are identifying themselves correctly. If you are using MS Windows and IIS on your server, or if you are on a shared hosting solution that doesn’t give you the ability to do anything clever, it’s an awful lot harder and you should take the advice of a professional on how to defend yourself from this kind of attack.

2 - If you are running a PHP or ASP based website, set all pages robot meta tags to noindex and nofollow and implement a PHP or ASP script on each page that checks for valid spiders from the major search engines, and if so, resets the robot meta tags to index and follow. The important distinction here is that it’s easier to validate a real spider, and to discount a spider that’s trying to spoof you, because the major search engines publish processes and procedures to do this, including IP lookups.

Recently Google Adwords and Google Adsense users are receiving phishing emails which appear to be from Google.

When you try to click on URL in email body you will be redirected to fake Google Adwords website and asked for user name and password. The information will be sent to malicious users who might try and abuse your account for their needs. Moving your mouse over the URL in the email will show you it’s a fake .cn domain. This fake website looks like the real Google Adwords website but there is no SSL cetrificate (no https:// in the URL, just http://).

The email looks like it has been sent from adwords-noreply@google.com address and the message subject is “Please Update Your Billing Information”. Message body says “Dear Google AdWords Customer! In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information.”

In case you are a Firefox user, you might get a warning about the site you’re about to visit.

BitDefender(R), a provider of antivirus software and data security solutions, announced today that BitDefender antispam analysts have detected that Nigerian scam spammers are using Google Calendar to target their victims.

Nigerian scammers are sending meeting invites in Google Calendar, which are actually nothing but scam “hooks”. All emails are sent personally to different Google Calendar users and got a different link for each recipent, making spam/abuse URL filtering harder. The scam works by informing the victim that they have inherited or are otherwise due a large amount of money from an unlikely source. The spammer then tells the victim to extract the payment in order to “set up the delivery” of the said large sum. Google support has been notified to block the accounts used in the scam.

BitDefender CTO, Bogdan Dumitru, says this is a new and untried social engineering approach. The fact that these things are being spammed in huge numbers is a bit odd. Usually there is a testing phase, to evaluate the response rate. After some testing, some techniques are found ineffective and never get used again. This one’s different.

The new spam wave was detected two days ago by BitDefender antispam analysts and is already added to the spam signatures base. BitDefender users are guarded from this type of aggravation.

Starting last year and until today, there were few exposed cases when spammers used Google pages ads in HTML-formatted emails in order to redirect users who clicked the URL to some bad sites, usually containing both spam and infected software, for example:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS
&num=123456&adurl=http://www.infectedsite.com

Many considered a scenario where Google page ads were used to conceal the actual URL and avoid detection by traditional anti-spam techniques. However, it seems one can change the linked URL to point to any site of your choice, especially since no validation appears to be done on Google’s end.

Malicious user could also point the Google page ad to executable files (.exe, .pif. scr etc.) and some malware authors have started doing this and such link will redirect and download the malware without any problems or warnings. Although Google is very strict about the kind of file attachments one can upload/download via their Gmail service, anyone can craft a URL that looks like it belongs to Google (=safe?) and point it to download any software executable file. Here is a simple and safe demonstration:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS&num=123456

&adurl=http://fpdownload.macromedia.com/get/shockwave/default/

english/win95nt/10.2.0.023/Shockwave_Installer_Slim.exe

Clicking this link will download Shockwave Player from Adobe Download Center.

Google probably aware of this redirect abuse by now, and it’s hard to understand why they don’t prevent these redirects working for known bad file types or for spam and infected/hacked malware sites.