[SecurityRatty] tag: referrer

Monetizing Web Site Defacements

Fri, 13 Jun 2008 07:54:20 +0000

What used to be a harmless web site defacements back in the old school days, is today's ongoing monetization of defaced web sites, a logical development given the consolidation between different underground parties, evidence of which can be seen in the majority of incidents I've been analyzing recently.

The Africa Middle Market Fund' site is the latest example of a web site defacer is abusing the access to the web server to generate and locally host blackhat SEO pages, which when once access only by searching for the keywords and consequently returning 404 if traffic isn't coming from a search engine, redirect to known rogue security software, in this case, the XP antivirus protection (securityscannersite.com) which you must be familiar with if you were following the assessments of the massive IFRAME SEO poisoning attacks that took place during March this year. More about the found :

"The Africa Middle Market Fund is a private capital fund that invests in small and medium sized African businesses who need from $500,000 up to $2 million to grow and succeed to their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that we care equally about financial performance and social benefit. We are for-profit and insist on our investees employing world standards of financial and business management to maximize their chances of success"

Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point to 23search.org, which is an invitation-only affiliate based network for traffic exchange, connecting different malicious parties together :

"What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money!"

The session is then redirected to drivemedirect.com/soft.php?aid=0195&d=3&product=XPA, as well as to drivemedirect.com/soft.php?aid=0263&d=2&product=XPC to ultimately redirect the user to online-xpcleaner.com/2/freescan.php?aid=880263

Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive techniques to make it harder to analyze them. In this particular campaign for instance, only traffic comming from search engines would get the chance to see the SEO page due to the use of document.referrer tags. Here are some sample monitization practices from what I've seen between the lines of recently defaced sites :

- installing web backdoors and reselling the access to phishers, spammers and malware authors who would have full control over the content, and can therefore do whatever they to with the web server

- installing web based spamming tools that later on will be either used directly by the defacers, or access to the tools sold to those interested in using them

- participating in an affiliate based blackhat SEO networks, where revenue coming of the victims who installed the rogue software is shared among the defacer and the affiliate based network, which doesn't really care how and where is all the traffic coming from

- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting them locally in between sending the phishing emails again using the same host

- selling the access by promoting it based on its page rank

Web site defacements in times when traffic suppliers are efficiently coordinating campaigns with traffic seekers, will mature into a tool for providing malicious infrastructure on demand, just like botnets did. Then again, the endless possibilities provided by insecure web applications are already blurring the lines between web site defacements and SQL injections.

Related posts:
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Blackhat SEO Campaign at The Millennium Challenge Corporation

Tue, 06 May 2008 23:57:19 +0000

Among the very latest victims of a successful blackhat SEO campaign that has managed to inject and locally host 1,370 pharmaceutical pages, is the Millennium Challenge Corporation (mcc.gov) - a United States Government corporation designed to work with some of the poorest countries in the world.

The injected pages are loading remote images from what looks like a secondary compromised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. Compared to previous blackhat SEO campaigns that I've assessed in the past taking advantage of redirection only, the layout of the embedded pages in this one is sticking the remotely loading images at the top of the page, and placing the original at the bottom.

The campaign's main URl is ttv-bit.nl/rr/c.php where a redirector is forwarding to canadiandiscountsmeds.com, and these are some of the remotely loading images ttv-bit.nl/rr/s.JPG; ttv-bit.nl/rr/l.JPG; ttv-bit.nl/rr/c.JPG; ttv-bit.nl/rr/v.JPG

Moreover, as in the recent massive SEO poisoning attacks, the referrer is checked, and given that the campaign URL is dedicated to mcc.gov only, only mcc.gov referrers are directed to the spam pages. These blackhat SEO incidents targeting sites with high page ranks, are either the result of the automated process of searching for vulnerable such high page rank-ed sites, or direct abuse of purchased access to the already compromised hosts via web shells or web backdoors.

Related posts:
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Who could use some extra cash?

Tue, 04 Mar 2008 09:27:25 +0000

Could you use an extra 2k? How about an extra 5k? Here is the best part, you don't have to do anything illegal and you will actually feel good about doing it! Here at StillSecure we are growing again. We have a number of openings up on our web site under the careers section. Every so often we designate certain jobs as "hot jobs". If you refer someone for one of our regular jobs and they are hired, we pay you a thousand dollars on hiring. If they stay 6 months, we send you the other thousand! If it is one of the hot jobs you get 5k instead of 2k. How do you refer a potential candidate? Easy, just have them send their resume to careers@stillsecure.com with a note saying you are the referrer and your email address, as well as the position they are applying for. Sound easy enough? I think so.

Of course no offer like this is complete without the fine print. So here it is:

Candidates cannot refer themselves and only the first person or agency to refer a candidate that is hired will be compensated. If a candidate is already under consideration at the time of the referral under this program, no compensation will be paid. Referrers must complete a W-9 for tax purposes before compensation can be distributed. This program will run through April 30, 2008 or until all open positions are filled, whichever comes first. Specifically referrals must be provided by April 30, 2008 and referred applicants must be hired by May 31, 2008 to qualify. Don't miss your chance to earn some extra cash!

Just kidding, here are the details:

If you have any questions or concerns regarding this program or our open positions, please contact our HR department at careers@stillsecure.com. StillSecure reserves the right to alter or modify this program at any time by posting changes to its website. Whether a referrer is entitled to compensation shall be within StillSecure's sole discretion and StillSecure's decision will be final.

Who could use some extra cash?

Tue, 04 Mar 2008 08:27:25 +0000

Could you use an extra 2k? How about an extra 5k? Here is the best part, you don't have to do anything illegal and you will actually feel good about doing it! Here at StillSecure we are growing again. We have a number of openings up on our web site under the careers section. Every so often we designate certain jobs as "hot jobs". If you refer someone for one of our regular jobs and they are hired, we pay you half of the money on hiring. If they stay 6 months, we send you the other half! If it is one of the hot jobs you get 5k instead of 2k. How do you refer an potential candidate? Easy, just have them send their resume to careers@stillsecure.com with a note saying you are the referrer and your email address, as well as the position they are applying for. Sound easy enough? I think so.

Of course no offer like this is complete without the fine print. So here it is:

Just kidding, here are the details:

ZDNet Asia and TorrentReactor IFRAME-ed

Tue, 04 Mar 2008 06:15:20 +0000

This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :

jamie presley

mari misato

risa coda

kasumi tokumoto

jill criscuolo

The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :

"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :

xpantivirus2008.com (69.50.173.10)

scanner.spyshredderscanner.com (77.91.229.106)

hot-pornotube-2008.com (206.51.229.67)

porn-tubecodec20.com (195.93.218.43)

Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :

Scanner results : 11% Scanner (4/36) found malware!

File Size : 85008 byte

MD5 : 6b325c53987c488c89636670a25d5664

SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bd

Fortinet - Suspicious

Norman - Tibs.gen200

Prevx - TROJAN.DOWNLOADER.GEN

Quick Heal - Suspicious - DNAScan

Even more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).

What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.

The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".

Nice Attack Thru Logs!

Fri, 25 Jan 2008 09:00:00 +0000

What if those referrer URLs in your web logs are evil? (SANS ISC entry)

If you review your web logs (web server, for example) and blindly click all referred URL to see who sent traffic to you site, there is a good chance that you'd be 0wned!

Google Spamming Us

Thu, 20 Dec 2007 19:11:11 +0000

You know, we get some really odd traffic. Some of it good, some of it not so much. Let’s take a look at some of Google’s traffic since it’s a slow day. If nothing else it’s good for a laugh. First let’s look at Google trying to hack us - XSS style:

66.249.73.40 - - [26/Nov/2007:01:53:58 +0000] “GET /blog/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1″ 200 55053 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Not too bad for a robot. How about some totally innane Apache directory structure stuff that couldn’t possibly work?

66.249.73.40 - - [26/Nov/2007:00:46:03 +0000] “GET /bluehat-spring-2007/?C=S;O=A HTTP/1.1″ 200 3681 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Someone needs to figure out how UTF-7 works:

66.249.73.40 - - [26/Nov/2007:02:25:19 +0000] “GET /s.js+ACIAPgA8-/script+AD4-x HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Oh don’t we love the Google spam? I really am disheartened that it’s this easy to con Google into spamming websites. As if I don’t get enough referrer spam, Google does one better. *sigh*

66.249.73.40 - - [23/Nov/2007:19:11:23 +0000] “GET /weird/popup.html/Buy-NET.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [09/Dec/2007:07:21:51 +0000] “GET /weird/popup.html/Buy-COM.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [11/Dec/2007:05:24:19 +0000] “GET /weird/popup.html/Buy-MEUK.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [14/Dec/2007:17:48:58 +0000] “GET /weird/popup.html/Buy-INFO.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Google has a lust for the goatse! Cannot get enough of it!!!!! Seriously, Google. I just don’t have Goatse on my machine. I promise! Granted, I 302 redirect all 404s to the homepage, instead of 301, so that’s my bad, but seriously - there is a reason I might want to do that and still not have goatse on my site. I don’t ever remember having it anyway. Time to give up the obsession, Google!

66.249.73.40 - - [30/Nov/2007:01:04:10 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [07/Dec/2007:19:36:57 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [10/Dec/2007:20:17:00 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [19/Dec/2007:22:58:31 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

More spam anyone? Let’s see here… Google likes Viagra and goatse. I’m seeing a theme here!

66.249.73.40 - - [26/Nov/2007:04:47:00 +0000] “GET /fierce/?ref=SaglikAlani.Com HTTP/1.1″ 304 - “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

And the trackbacks… oh Google, please figure out what a Trackback is and stop spidering it. I swear, no matter how many bazillion times you look at the trackback pages, you’re still not going to find anything useful there. I double cross my heart and swear to die. This is from Nov 18th-Dec 20th (just over one month):

$ grep 66.249.73.40 error_log |grep -c wp-trackback
938

Think how much bandwidth Google uses that is just completely unnecessary. The countless and senseless bandwidth waste-age. I started using Google because it was light on my personal bandwidth - so much for that idea.