These spammers and scammers are getting rather clever, and very sneaky. This is still epedemic and seems to be happening more and more. It takes a re-write of many of the large sites online..which frankly isn’t going to happen is it?
It just shows once again the spammers will think of all kinds of weird little tricks to get their goods pimped online
Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties.
As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware.
The hack, which was first documented Wednesday by Netherlands-based researcher Dancho Danchev, takes advantage of the practice by many sites of logging search queries typed into their search boxes and storing them where search engine bots can see them. The terms are then indexed by Google and other search engines and included in the results they return. Exploiting the weakness is as easy as typing popular search terms into a popular website along with the text of an IFRAME that points to a malicious website. Within time, the strings will be included in results returned by Google and others.
Pretty dodgy eh? These ones are straight installing malware too, not even pointing to phishing sites or straight up adverts/porn sites.
This is going for mass infection, possible a part of some large botnet operation.
In the second half of 2007, 51 per cent of sites hosting malware were legitimate destinations that had been compromised, as opposed to sites specifically set up by criminals, according to security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised, although the criminals were clearly taking advantage of their strong page ranking and the trust that many end users have in them.
The injected IFRAME redirects unwitting users to sites associated with the Russian Business Network, F-Secure says. The sites try to install malicious programs with names including XP Antivirus 2008 and Spy Shredder Scanner.
The attackers are also notable for the care they’ve taken to cover their tracks. The malicious sites will only attack users who click on the link as it’s returned from Google or another major search engine. Client-side honeypots or security researchers who merely type the address into a browser will receive an error message indicating the site is unavailable.
Even if the site itself is secure, a small architecture flaw allows things like this to flourish, apparently ZDNet Asia fixed the issue. There are still 100’s of other large sites still effected though.
Source: The Register