Thursday, July 29, 2010

Adobe CS7 Searches Saturated With Dangerous Results

Looking to save a few bucks on software will almost always lead users down a dangerous path.  Users either end up at “OEM Software” sites offering unlicensed and illegal software, or to downloading cracks or keygens laced with malware. 

One of the big issues here is that these sites are quite easy to find. Google searches for “cheap” or “discount” software reveal it’s very easy to come across these sites.  Searches for all kinds of popular software from MS Office, to Adobe CS will bring up dangerous results.

Even searches like ‘Microsoft Windows 7’ which should be filled with Microsoft related sites and articles instead include fraudulent OEM sites in the top results.  Today, the eSoft Threat Prevention Team is warning users to be especially wary of unreleased software.  A major target of these scams is Adobe, who recently released their Creative Suite 5 (CS5) software.  However, searches for CS7, a product not yet announced and two versions premature, result in a solid wall of bogus search results leading to scams and malware.

Aside from poisoning search results, the criminal enterprises behind these scams are increasingly using Spam to increase their reach.  The criminal rings associated with these sites also control infected machines capable of sending millions of Spam messages per day, making it very easy to draw users to these sites.  Spam messages are sent offering “instant” downloads and huge savings, only leading the user to a full blown fraud operation.

Rightly suspicious users who are wary of entering their personal information on these sites, or don’t want to pay for the software at all (aka stealing), may try to find cracks or keygens to allow them to activate trial versions of the software.

Take the example of the site below,  The keygen download on this page is malware that attempts to call home and download more malicious software.  The other links on this page lead the user right back to the same OEM software scams. 

Each week eSoft finds hundreds of sites and domains related to these OEM Scams.  It’s important for users to realize that these sites are fraudulent and could potentially be very dangerous.  If you are purchasing new software, make sure it is from the vendor itself or a reputable distributor.

Monday, July 19, 2010

Widespread Compromise Impacts Thousands of Legitimate Websites

The eSoft Threat Prevention Team has detected a new widespread compromise, with tens of thousands of domains infected.  Cybercriminals have used stolen credentials, placing specially crafted pages into legitimate websites that lead visitors to malicious payloads.

The cybercriminals involved in this campaign are primarily targeting pornographic search terms.  Poisoned searches involve celebrities and porn stars nude, nudism, sex parties and searches that are much more lewd and inappropriate.  Obfuscated javascript is used to redirect a visitor to Rogue Anti-Virus and other malicious payloads.

At the time of writing most infected pages lead to the rogue anti-virus scam “Antivirus Plus” as shown below.

Cybercriminals are increasingly infecting legitimate sites rather than creating their own websites.  Otherwise honest sites that have been compromised have a much longer lifetime with which to infect visitors and have a better chance of passing undetected through web filtering technologies, infecting a greater number of users.  Sites created specifically for malware distribution or malicious intentions can be shut down by the domain registrar or ISP much more quickly than a legitimate site that’s been compromised.  With granular URL classifications, eSoft SiteFilter technology is able to detect and block these sites before a user is infected.

Based on the number of different platforms and web server software that are infected in this specific attack (recognized by the recurring malicious code it uses), it’s most likely the sites were compromised using stolen FTP credentials. For webmasters out there, be sure to keep your FTP passwords secure, and don’t save them in popular FTP programs where they can easily be harvested by attackers. If possible, use SFTP and key based authentication instead of the less secure FTP protocol.  Also avoid passwords that are found in the dictionary or are common place or person names (even adding a number to the end will not protect you from a determined brute force attack).

Further details are available for security researchers interested in the specific attack and related code.  Right now, eSoft estimates that the attack affects 3,200 websites.