Massive Badware Campaign Targets Google's "Long Tail"

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

Yet Another Reason

[causality]

to use anti-tracking measures. For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been. I use several other measures as well (such as redirect removers) because Web sites are on a need-to-know basis and I don't recognize their need to know where I've been or how I got to their page. If I visited such a blog from Google, the blog site would not know it and it would look to the site like I just went directly to its page. I use Linux but if I were using a Windows system vulnerable to these exploits, I still would not receive the exploits. There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.

Re:Yet Another Reason

[farlukar]

With the web developer toolbar you can disable referrers.

Re:Yet Another Reason

[causality]

Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.

I use Firefox on Linux with several addons. For the HTTP Referrer, I use an addon called RefControl. I have it set to fake the referrer by default. So if I do a Google search and from the search results decide to click on http://www.someblog.com/blogs/page.html, the Web server does not receive a google.com referrer. The referrer it receives is http://www.someblog.com/. The only exceptions are certain Web sites I do business with, because this fake-referrer behavior can break some shopping carts. That particular add-on lets you specifically exempt certain sites and only those sites.

In addition to that, I use Adblock Plus with the Element Hiding Helper and the Easyprivacy+Easylist subscription. I also use NoScript and that alone takes care of many Javascript tricks that redirect or obfuscate the actual destination of a link. I also disable so-called "HTTP PING", which can be done in Firefox under "about:config". My /etc/hosts file is 1.5MB, all of which blocks various ad servers by directing them to localhost. My machine will not accept any references to Google Analytics or various other analytics/tracking services. As a side-effect, all of this makes pages load much faster.

When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

I've always felt that if your business model relies on getting information about me against my will, then your business model deserves to fail. I'll add too that the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs. The measures I describe above do not provide real computer security -- they provide human privacy. In this case, however, they make it much harder for the sites in question to target you because their "targeting data" is based on first compromising your privacy.

Re:Yet Another Reason

[causality]

For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been

Want that. Is that a released add-on or did you just patch and recompile the source?

I use the FireFox addon RefControl to handle the HTTP Referrer.

Re:Yet Another Reason

[Tim+C]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

Re:Yet Another Reason

[nabsltd]

Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site.

This is a good idea, but unfortunately dynamic HTML allows the creation of "windows" within the browser, and there really is no way to limit this without seriously destroying page layout.

Sure, these moveable HTML elements are confined to the browser window, but I think that somebody who would believe that a web site has "scanned" a D:\ drive that doesn't exist and found malware wouldn't notice that a window wasn't "outside" the browser.

Long Tail

[Kolargol00]

The "long tail of search" TFA is referring to is explained in this Wired article and on its author's blog.

Filtering out the bottom-feeders.

[Animats]

The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.

Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.

We, of course, run SiteTruth, as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.

(We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)

Re:Bogus blogs and duplicate newsfeeds

For experts-exchange, the answers are at the bottom of the page. Just scroll ALL the way down. Really, try it.