Tuesday, December 22, 2009

Live.com Exploited as Pharma-Fraud Cover

The FDA crackdown on online pharmacy sites has driven a lot of attention to illegal and fraudulent online pharmacies and in particular to their methods for tricking people to visit their sites. These practices include prolific spam and search engine poisoning.

eSoft’s Threat Prevention Team has noticed that the search engine poisoning is now very actively making use of Microsoft’s Windows Live Spaces – a free blog hosting environment. By registering accounts and using those accounts solely to link to the pharma-fraud sites, the search engine ranking of the target sites goes up. Additionally, the spam emails now link to these fake blogs rather than directly to the pharma-fraud site in an effort to better evade spam filters that might otherwise detect the link to the fraudulent website.

The blog page shown here is typical of those seen by the Threat Prevention Team: it consists of a single blog entry with a single image that is linked to a classic “Canadian Pharmacy” website using a template that eSoft has seen used on thousands of websites.  eSoft worked with the ThreatChaos blog to shine the light and provide full details on these sites during a major outbreak in May.  More details about this threat may be found in that posting.

Similar attacks have been reported recently using Yahoo and Blogger to draw users to fraudulent pharmacy sites. Google Job Spam has also reportedly infiltrated spaces.live.com.

Whatever the distribution method, its clear these cybercriminals will stop at nothing and continue to evolve new ways of advertising their bogus sites. eSoft has excellent detection for pharma-fraud sites and detects thousands of these URLs month after month.  Exploited blogs on spaces.live.com are being flagged as ‘Phishing & Fraud’.

Tuesday, December 15, 2009

Boeing 787 Searches Hijacked by Rogue AV

Today, the Boeing 787 Dreamliner jet completed its much awaited first flight. As users searched to find videos and news articles related to the story, blackhats quickly moved in for yet another attack against Google search results.

The most popular search for several hours today was “787 first flight video”. This search and related searches are saturated with malicious results leading to rogue AV and potentially other malicious payloads.

At peak hours, 5 out of the first 9 results lead to malicious payloads as users were pushed through a series of redirect pages and to different distribution points.

While the distribution points and payloads varied, their effectiveness did not. Most sites were undetected by Google Safe Browsing and the malicious payloads they delivered had very low anti-virus detection rates.

This latest attack is nothing new, but it is shocking how quickly and effectively cybercriminals are able to react to the latest news trends. In this particular attack, the dangerous top results seemed to be compromised sites with existing reputations which makes detection much more difficult.

Saturday, December 12, 2009

eSoft Uncovers 1.5 Million Sites in SQL Injection Attacks

The eSoft Threat Prevention Team has uncovered an additional 1.5 million sites associated with the newest series of SQL injection attacks. Any compromised sites are very dangerous, infecting the user with Trojan.Buzus silently in the background. The Buzus family of trojans can steal passwords, financial data, and other sensitive information.

Note: Any sites listed below are dangerous and should not be followed without proper protection.

The compromised pages are injected with the same script several times in and around the title and meta tags, as well as other locations. Injected sites in this attack share the common characteristic of “script src=http” and a varying script source.

The list below shows the injected domains used in this attack. The number next to each domain is the amount of sites found to be injected with the domain using Google search.

Each domain hosts the same javascript, using small or hidden iframes to redirect users to other malicious sites where the final payload is delivered. These domains use the same technique described by Scansafe last week in the 318x injection. As many as 300,000 sites were reported compromised in that attack. An example is shown below, note each of the sites in the image is also dangerous so do not attempt to view linked sites.

Additionally, the Threat Prevention Team uncovered the related sites below, also using the same type of injection and javascript iframe technique. The javascript shown below is slightly different than the first attack, only using two iframes but infecting users and tracking with the same method.

eSoft is adding detection for these attacks and flagging any victimized sites as compromised. Distribution and redirect sites are marked as malicious, protecting users from downloading the final dangerous payload.

Wednesday, December 9, 2009

Fraudsters Deliver Another Round of Federal Reserve Emails

During the last week, the eSoft Threat Prevention Team has detected a number of malicious emails, allegedly from the Federal Reserve Bank. The emails warn the recipient of phishing attacks and instruct the user to follow a link for more detailed information on the threat.

The email appears to be legitimate, sporting the Federal Reserve emblem and containing a real looking domain, federalreservebank-oh.com. However, users following the link are exposed to malicious payloads, most recently the Oficla Trojan.

Similar Federal Reserve Bank scams have been around for quite some time and are often used for phishing attacks. Example URLs contained in this newest rash of emails are shown below.


Always be cautious in following links in emails, particularly unexpected messages. If there is any doubt, contact the sender directly to verify the legitimacy of the message. The Threat Prevention Team is flagging these URLs as malicious, protecting SiteFilter customers from this threat.