Massive Badware Campaign Targets Google's "Long Tail"

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

Re:Yet Another Reason

[causality]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.

From the article:

These site (they act only as redirectors) immediately redirect people further to acual scareware sites (e.g. antivir3 .com, antimalware-3 .com, cyber-scan008.com etc.) which perform a fake test and make people think that their computers are infected (Displaying Windows interface even for Linux and Mac users ;-)). Pretty much the same as what I described a year ago. Just slightly improved interface (the fake warning window is now draggable!). Don’t be fooled.

Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.

I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.

I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"

The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.

The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account