Massive Badware Campaign Targets Google's "Long Tail"

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

Yet Another Reason

[causality]

to use anti-tracking measures. For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been. I use several other measures as well (such as redirect removers) because Web sites are on a need-to-know basis and I don't recognize their need to know where I've been or how I got to their page. If I visited such a blog from Google, the blog site would not know it and it would look to the site like I just went directly to its page. I use Linux but if I were using a Windows system vulnerable to these exploits, I still would not receive the exploits. There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.

Re:Yet Another Reason

[farlukar]

With the web developer toolbar you can disable referrers.

Re:Yet Another Reason

[causality]

Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.

I use Firefox on Linux with several addons. For the HTTP Referrer, I use an addon called RefControl. I have it set to fake the referrer by default. So if I do a Google search and from the search results decide to click on http://www.someblog.com/blogs/page.html, the Web server does not receive a google.com referrer. The referrer it receives is http://www.someblog.com/. The only exceptions are certain Web sites I do business with, because this fake-referrer behavior can break some shopping carts. That particular add-on lets you specifically exempt certain sites and only those sites.

In addition to that, I use Adblock Plus with the Element Hiding Helper and the Easyprivacy+Easylist subscription. I also use NoScript and that alone takes care of many Javascript tricks that redirect or obfuscate the actual destination of a link. I also disable so-called "HTTP PING", which can be done in Firefox under "about:config". My /etc/hosts file is 1.5MB, all of which blocks various ad servers by directing them to localhost. My machine will not accept any references to Google Analytics or various other analytics/tracking services. As a side-effect, all of this makes pages load much faster.

When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

I've always felt that if your business model relies on getting information about me against my will, then your business model deserves to fail. I'll add too that the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs. The measures I describe above do not provide real computer security -- they provide human privacy. In this case, however, they make it much harder for the sites in question to target you because their "targeting data" is based on first compromising your privacy.

Re:Yet Another Reason

[Tim+C]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

Re:Yet Another Reason

[causality]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.

From the article:

These site (they act only as redirectors) immediately redirect people further to acual scareware sites (e.g. antivir3 .com, antimalware-3 .com, cyber-scan008.com etc.) which perform a fake test and make people think that their computers are infected (Displaying Windows interface even for Linux and Mac users ;-)). Pretty much the same as what I described a year ago. Just slightly improved interface (the fake warning window is now draggable!). Don’t be fooled.

Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.

I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.

I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"

The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.

The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account

Long Tail

[Kolargol00]

The "long tail of search" TFA is referring to is explained in this Wired article and on its author's blog.

Re:Badware?

[jDeepbeep]

When did the word badware appear? Is it because some people couldn't cope with Malware?

It's not badware. It's goodware-challenged.

Bing!

[blackfrancis75]

Those guys at Bing have been busy.
(I know the trojan targets Windows - I say it's a hit they were willing to take)

Re:Bogus blogs and duplicate newsfeeds

[causality]

Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

No joke. You omitted one part, however. You'll find the same message thread on 10 or more different sites, true. The part I would add is that in each instance, someone is asking the question but no one has responded with a meaningful answer. Sometimes I have better luck excluding terms like "archive" and "mailing list" from the search results.

I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own.

Re:Bogus blogs and duplicate newsfeeds

[Tanktalus]

• 75% "naked horny asian gay teen donkey"

Great. And now those people will be redirected here. On one hand, it is like cleaning up the internet. On the other hand, you'll get all those pervs to come here and leave comments, drastically reducing the signal-to-noise ratio to basically zer... er, nevermind. Carry on.

Filtering out the bottom-feeders.

[Animats]

The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.

Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.

We, of course, run SiteTruth, as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.

(We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)