Friday, November 20, 2009

Scareware Taints Chromium OS Searches

Yesterday, Google announced the open source project called Chromium OS, a development phase release of the Google Chrome OS. Blackhats have quickly taken advantage of this announcement, poisoning search results to spread scareware.

Attackers continue to perform Blackhat SEO attacks on Google searches, particularly trending topics. Dangerous results are returned linking the user to Rogue Anti-Virus downloads through a series of scripts and redirects.

The search terms used in this example are "chromium os download", though any combination of terms could return dangerous results. The 5th result in the search below leads to scareware.

Clicking the link takes the user through a series of redirects, ultimately ending up at the distribution point. As with most Rogue AV scams, a fake system scan is performed informing the user their system is virus laden and opening a download to remove the threat.

Even if the user attempts to cancel, the rogue installer starts to download a setup.exe file. The file has low anti-virus detection, as is common with Rogue AV scams and the user is led to believe the download is safe to install.

After a standard installation, the user is now infected with "SecureKeeper". This is a brand new variant first reported by Sunbelt just yesterday. 

After running another fake system scan, the software reports 736 infections and prompts the user to enter a registration key, or purchase the software. Some very scary messages are displayed, warning the user that criminals will gain access to their credit card and personal information.


Warnings will perpetually appear in the system tray, persuading the user to complete the purchase. For just $49.95 USD you can own this piece of malware...

This is a very typical attack that continues to happen all too often. Attackers will regularly change redirect URLs, malware distribution points and final payloads. This allows them to keep PageRank high and evade detection by anti-virus programs and web filters. The sites are further protected by checking the referring site to ensure the infected page can only be accessed from Google search results.

Raising awareness about this type of scam is one of the most effective ways to keep users safe. Other search engines are targeted less by attackers, which may make them safer for the novice user. eSoft tracks attacks on trending topics and is marking any associated sites as malicous.

Tuesday, November 17, 2009

Blackhats Unleash Another Fake Blog Campaign

In September, eSoft reported as many as 720,000 compromised sites hosting fake blog pages and being used to distribute rogue anti-virus programs. Many of these sites are still active and continue to plague searches with malicious results.

Earlier today, Cyveillance issued this report of a nearly identical attack with over 260,000 dangerous URLs prompting the Threat Prevention Team to revisit this threat.

Between the newly reported Cyveillance URLs and additional URLs discovered by the eSoft there are now well over 800,000 active URLs matching this pattern. Surprisingly, Google only detects a small portion of these sites as malicious.

The key to this scheme is javascript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated javascript which redirect users to Rogue AV if the site is accessed through certain search engines.

Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV scanners.

In addition to the URL strings reported by Cyveillance be on the lookout for these additional URL types.

eSoft will continue to flag associated domains into their appropriate security categories, protecting SiteFilter users from falling victim to this attack.

Thursday, November 12, 2009

CoolerEmail Hit by Phishing Scam

CoolerEmail is notifying customers of a new phishing scam used to steal login credentials. The web based email marketing program carries an impressive client list including Walmart, Toyota, Pepsi and dozens of other big name brands. Any phished credentials can be used to impersonate these companies in additional phishing or malicious emails.

If you’ve been victimized by this scam change your password immediately at the CoolerEmail website.

The fraudsters use a classic phishing “hook” and present a very real looking email, complete with company letterhead. The email reports a recent software upgrade and asks users to follow a link in order to confirm their account details.

The disguised link suggests the user will connect directly to the website. However, the link actually connects to – a domain setup by cybercriminals specifically for the phish.

Whois information shows this domain as recently registered and is not in any way affiliated with CoolerEmail.

CoolerEmail has sent out a warning notice to customers and stated that they would never ask for confirmation of account details. Always be wary of emails containing any type of link or asking to update account information. If there is any doubt, contact the sender to verify the legitimacy of the email. 

Thursday, November 5, 2009

Japanese Hosting Site Compromised

The eSoft Threat Prevention Team is today warning users to be wary of sites hosted on, a Japanese hosting site.  At this time, all blogs and other web sites hosted by are compromised and currently being used to boost the Google PageRank of various sites including Japanese pornography sites in a technique sometimes called "PageRank Bombing" and also referred to as "BlackHat SEO."

At a glance, these sites look normal, but at the bottom of the page is a small portion of a box that actually holds around 300 links to questionable and pornographic websites.  The Threat Prevention Team has found thousands of unique links so far.  At any time, the sites could be repurposed to something more dangerous, as could the target pornography websites.

Sample URL associated with the scheme:

eSoft has now flagged thousands of these URLs as "Compromised" and/or "Pornography" as appropriate in order to protect customers and partners who use eSoft's SiteFilter database and block those categories.