Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Target Tsunami Search Results

Posted by Soulskill on from the bandwagon-has-arrived dept.

xsee writes "Only hours after the earthquake and resulting tsunami from Chile, hackers began manipulating search results to direct people seeking information on the event to infected webpages. Exercise caution as to where you get information on this tragedy. Chester Wisniewski describes what happened after he saw a suspicious site listed second on a Google search: 'It appears to be a normal website with information and videos about different Asian tsunamis over the past few years. It is difficult to tell whether this particular page was SEO-optimized, or was an innocent victim of a malicious script. SophosLabs got back to me that this page contains some obfuscated malicious JavaScript that we detect as MAL/ObfJS-R. This script was appended after the normal code on the page.'"

17 of 57 comments (clear)

  1. Sick? by ilovegeorgebush · · Score: 3, Insightful

    Not only do I think this is a little sick on the part of the blackhats, but it does pose some other concerns.

    Firstly, are the media going to pick up on this and if they do, will they spin it as an opportunity to bad-mouth the Web and its communities, as well as encourage talk of "tougher rules" and the like.

    Since this is a JS vulnerability, I'd certainly like to see more discussion and thought around how seriously we take JS integration on the web and how we approach it as a core target for evil-doers to exploit. Could more be done?

    Lastly, how are the web search engines going to react? Could more things like this call for censorship of Google, Yahoo etc; or at least more claims for 'responsibility of the search engines'?

    --
    ilovegeorgebush
    1. Re:Sick? by Anonymous Coward · · Score: 5, Informative

      CNN was actually discussing this in their reporting yesterday. They were very clear about this being done by bad folks, not the web in general, and the things people should look out for. Overall I think they gave it very clear, concise, non-technical coverage that was more than fair.

    2. Re:Sick? by geekmux · · Score: 3, Insightful

      Not only do I think this is a little sick on the part of the blackhats, but it does pose some other concerns.

      No real surprise there. Morality is waaaay down the Blackhat list, well below "money" and "power".

      Firstly, are the media going to pick up on this and if they do, will they spin it as an opportunity to bad-mouth the Web and its communities, as well as encourage talk of "tougher rules" and the like.

      Yes, and it's rather unfortunate that the media has about as much accuracy on the subject as the National Enquirer does reporting fact.

      Since this is a JS vulnerability, I'd certainly like to see more discussion and thought around how seriously we take JS integration on the web and how we approach it as a core target for evil-doers to exploit. Could more be done?

      Never gonna happen. Java/JRE/JS is the holy grail of environments when it comes to cross-OS integration, and it's not like other options (flash) are devoid of their vulns. Besides, it's always a risk/reward for companies, and a company will generally never take Security over Revenue.

      Lastly, how are the web search engines going to react? Could more things like this call for censorship of Google, Yahoo etc; or at least more claims for 'responsibility of the search engines'?

      What you're asking from the search engines would pretty much be the death of them. I'd much rather have products like AVG warn me in search engine results, or rely on better browser protection rather than censor my results.

    3. Re:Sick? by Vellmont · · Score: 4, Informative


      Firstly, are the media going to pick up on this

      I doubt it. Your computer being infected with crap isn't particularly scary.. probably because it happens so often that most people are already familiar with how un-scary (but obviously annoying) it really is. The media picks subjects that are NOT common. Man bites dog, not dog bites man. They'll continue on spreading fear about uncommon events on the internet like sexual predators and stalkers. People fear things they don't know about.

      Since this is a JS vulnerability

      The "javascript vulnerability" just redirects you to a known malware site. Going to a website isn't in itself much of a threat.

      The real vulnerabilities (the ones that can infect your computer) exist in largely Adobe Flash, Microsoft Internet Explorer, somewhat in Adobe PDF Reader, and people just being stupid and running an executable because "the computer" told them to.

      The last item is probably the hardest one to fix, and likely can't be fixed with technology (the authoritarians of the world like Kaspersky want to try to solve this through idiotic internet licensing schemes). The other three most certainly are technology problems, and can be fixed with technology. Adobe and Microsoft aren't too keen on actually fixing the problems however.

      --
      AccountKiller
  2. Disgusting by whisper_jeff · · Score: 2, Insightful

    When criminal greed crosses the line to utter malice, it's a sign that someone needs to encounter some righteous justice. Some people just deserve a beating.

    1. Re:Disgusting by Anonymous Coward · · Score: 2, Insightful

      As annoying as these are, a reasonable combination of browser and security suite, and some common sense, are enough to stop this from getting to be much more than that.

      I find much more disgusting the websites that open up claiming to be for whatever relief aid - when in reality they're largely just sites run by crooks pocketing the money for themselves. Not just because they defraud people, but because they are poisoning the well; any indy site that really does send donations, parts of profits/proceeds of sales, etc. to proper relief aid funds, are met by cynism.

      Even worse are the 'missionaries'.

  3. Color me unsurprised by JustNilt · · Score: 4, Interesting

    I saw clients hit with this behavior after the Michael Jackson hit the news and with each major story since. Each time a tragedy hits I tell my girlfriend virus/spyware cleaning calls are about to pick up a bit for me. Sad but entirely predictable now.

    --
    You know the thing about UDP jokes? I don't care if you get it or not.
    1. Re:Color me unsurprised by Anonymous Coward · · Score: 4, Informative

      It's predictable because it's automated. The technique these guys use is called 'blackhat SEO'. They have automated scripts that pull data from Google's page of search trends and automatically throw these pages up based on the search results for searches for the highest trending keywords. There's not much of a manual process behind it. If you check out the latest search trends and search for those terms, you'll see tons of malware sites showing up. It has nothing to do with what the news event or search term is. This has been going on for a while.

  4. Protection? by commodore64_love · · Score: 2

    How do we protect ourselves from these malicious script websites?
    (Note: I'm using the Opera X 10.10 browser.)

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:Protection? by EMG+at+MU · · Score: 2, Informative

      The NoScript plug-in for Firefox.

      Or run your browser in a VM and revert to a clean image each time your done browsing.

      Or disable javascript in Opera, but the web will act a lot different.

    2. Re:Protection? by Spyware23 · · Score: 2, Informative

      Allow javascript -only- on a whitelist basis.

  5. Wake up!!! by jasonq · · Score: 2, Informative

    This is /., right? Can we please STOP calling these FUCKTARDS hackers!!!

  6. Re:Can someone explain this to me by Clover_Kicker · · Score: 4, Funny

    No, but your browser can show fake dialog boxes and try to trick you into downloading and installing an executable.

    Google "hot russian olympic curling chicks" and try a few links, I was looking for a pic to post on another forum and it seems every second google hit has a javascript bomb attached.

  7. Re:Can someone explain this to me by ColdWetDog · · Score: 2, Funny

    I was looking for a pic to post on another forum

    hot russian olympic curling chicks

    Umm, right. Sure. Whatever floats your boat, buddy.

    --
    Faster! Faster! Faster would be better!
  8. Same thing happend with Joannie Rochette by Anonymous Coward · · Score: 2, Insightful

    After Joannie Rochettes short program, I googled it because I missed it. Literally the first 2 pages or so of results were 90% dummy sites with malicious payloads.

    This isn't new at all. EVERY time a popular search pops up, these douchebags try to game the results to get their pages on the first page.

  9. Re:Can someone explain this to me by Clover_Kicker · · Score: 2, Informative

    Looks like someone at google has noticed and is cleaning their search results. Here's one from the images.google search, which now has been "reported as an attack page".

    http://images.google.ca/imgres?imgurl=http://macleans.files.wordpress.com/2009/12/wip091211_02.jpg&imgrefurl=http://piazza.cl/eew.php%3Fq%3Dcheryl-bernard-hot&usg=__C_p_BdyshgstqVmMmo-jrcjNsDM=&h=976&w=800&sz=392&hl=en&start=15&um=1&itbs=1&tbnid=5i1jhMgQhHjIwM:&tbnh=149&tbnw=122&prev=/images%3Fq%3Dhot%2Brussian%2Bolympic%2Bcurling%2Bchicks%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26tbs%3Disch:1

  10. allchile.net fighting the spammers by cenc · · Score: 4, Informative

    I operate allchile.net, a forum for expats in Chile that has been operating for a little over 4 years. I am located in Temuco, Chile (about 100 miles south of the worst devastation) and just got my internet connection back a few hours to see all the spammers on google trying to force their way in to the position. Now me and all the other established sites in Chile, with real history and connections to know what is going on in Chile are fighting the Google spammers to try and get people in touch with their missing relatives and get news out to the World about the distaster.

    If you have a web site, and want to help us, link to the real sites about Chile. Even Facebook, twitter, and CNN are in a way in our way. They will be all chatting up the topic for a week or two more, then they will be gone. Our sites will still have to fight back up to the top of Google while trying to assist with the reconstruction.

    My sites and my friends sites (all run by people on the ground in the disaster by the way):
    http://www.allchile.net/
    http://www.allsouthernchile.com/
    http://www.santiagoradio.cl/
    http://www.thepulse.cl/
    http://www.spencerglobal.com/

    --
    Living in Chile