Scammers use Ford to drive users to scareware sites Scareware scammers are trying to game search engines into promoting crudware sites when a surfer searches for information on Ford cars. Attacks of this type, themed around events such as the recent tragic death of actress Natasha Richardson, are becoming increasingly commonplace. However, attacks themed around a single well- …
I have seen adwords for xp antivirus on websites, so i am aware of the idiots paying to promote there shit.
But the search engines simply have to do something about it, poisioning the results for ford, to promote spyware and other crap simply means the search engine needs someone to kick the programmers up the arse, and to employ a few more to scan it better. Machines can find tons, but humans are still the best catchall.
Plus in this economic times, im sure people would prefer one of the best engines to have the scrap stuff gone.
We've been seeing more and more hits from crap like this from users who AREN'T installing some codec they've been prompted to install, or run some scan window that popped up. It's vicious stuff turning off the AV alerting system and getting deep enough into the PC so you can't clean it up. Usually seem to be coming from otherwise legitimate sites as well. I think the blackhats have gotten smarter about how they poison things. I think they are targeting ad servers and poisoning some small percentage of the ads to redirect to sites that use automated installers to infect the systems.
.... consider this.
The average IQ is 100. If yours is 130, then someone else out there has an IQ of 70 = thick.
For a quick summary, go here:
http://www.iqcomparisonsite.com/IQBasics.aspx
So we then move on to the first rules of marketing web 2.0 [V1.3 (Nigeria)]
1. Never under-estimate the stupidity of your punters.
2. Exploit said stupidity.
People fall for scams. It's a fact and you will never change it.
So, dear reader, if you really care about your profession, recognise the reality, do not be a smart-arse finger-pointer and just do your best to protect the vulnerable (and thereby, maybe, your job).
Google put an API tracking all of the things people are currently searching for, online, and make it's interfaces programmable, and queries, to it, automatic. Bad guys then write a script that asks the API what most people are searching for, at the moment, and install that on all the compromised sites they have under their command. Bingo: whatever's popular, becomes today's attack vector.
There's someting quite 'Web 2.0' about it all, actally, since it not only relies upon The Frivolousness of Crowds, to drive it in the first place, but it also, by definition, targets the more ignorant and potentially gullible people in the target group, since those most likely to get caught out by the process are A) those who don't, for instance, know what Higgs Excitation might have had to do with Crossbows, last Tuesday (and immediately turn to Google, in order to find out), and B) don't first check whether what is claiming to be a wikipedia entry, about the subject, is actually hosted on wikipedia, before clicking on the link.
Also, the more desperate the crowd becomes, to find out what Higgs Excitation has to do with crossbows, the more spurious the search results that Google returns, become, and so the users themselves become ever more specific, about the search criteria they put in, to try and find out, and so the poisoned websites thus appear to become ever more exactly-suited to their needs. Perfect! Also, because the process is completely automated and self-defining, it even allows for the bad guys to be considerably more stupid than the people they're targeting.
This is yet another example of why MS should have disabled, by default, the option for a browser to run "codec" installers and other similar browser features. If a user is advanced enough to find the setting, since we know MS is so good at burying settings they want to keep away from the average John and Jane Doe, then the odds go up that the user who has found and enabled such setting knows better not to arbitrarily install a suspicious codec.
We can't blame the users, nor should we be concerned about the poisoned search engine hits, because in it's default mode any modern browser's settings should pose no option for the user to run the malicious code no matter what website link they click on.
That idea may seem less convenient at any one moment, but so is locking your automobile doors in theft prone areas but it becomes routine and the least of the things a user learns to do. What's even more inconvenient is all the extra precautions we have to take just because a browser lets a mere click or two to do something harmful and persistent to the software environment.
In short, keep users safe and defeatured until they know their way around the 'net and where the risks are.
"Usually seem to be coming from otherwise legitimate sites as well. I think the blackhats have gotten smarter about how they poison things. I think they are targeting ad servers and poisoning some small percentage of the ads to redirect to sites that use automated installers to infect the systems"
That's exactly what they're doing, and we're talking big-name sites. One of my clients has had a few of their users repeatedly infected, sometimes on consecutive days after I've cleaned the systems (yes, I'm 99% sure that the machines were fully clean [only 99% sure because you can never be 100% certain]). What's the commonality? foxnews.com. Yes, I know, it's an oxymoron and we should avoid Fox, but they're not the only ones. I've seen indirect infections from Fox domains (foxnews.com, foxsports,com, etc), cnn.com, mlb.com, nba.com, nfl.com, and nhl.com. In every case, it's coming indirectly from their advertisers. Because they use so many advertisers, it's impossible to tell which one (by viewing a DansGuardian access log).
Specifically sports-related (and loaded indirectly via advertisers on sports-related sites), there are a few supposed statistics domains that redirect you to malware sites. I've seen this on ab-outstat_dot_net, evenmorestats_dot_com, officialstat_dot_com, onlinepromostats_dot_com, onlinestatsmanager_dot_dom, statisticsmanager_dot_com, and statscontroller_dot_net. All of those were redirects from advertisers.
This is why I recommend to all of my clients that they use Firefox with Adblock Plus at the very minimum, preferably with Flashblock and NoScript (though many users either can't figure out how to use those two or don't want to learn how because it makes browsing somewhat inconvenient). I also highly recommend they use a hardware firewall acting as a transparent proxy server, and use DansGuardian to filter web traffic. One of the things I've done is set up DG rules to block regexp URLs to try to cut down on possible infections -- block domains with "antivirus" or "antispyware" followed by a four-digit number (which will catch things like antivirus2009_dot_com), block files with "setup" followed by numbers only, etc. It certainly won't block everything, but it sure has cut down on the service calls due to infections. Of course, I could use the money from those service calls, but I'd rather my clients be protected and happy.
Nowadays it is no longer safe to browse the Internet. You are not guaranteed to remain free from infection simply by avoiding "dodgy" sites. At the rate the black hats are cracking websites and advertisers, no website can be considered completely safe.
This campaign is targeting a number of auto manufacturers. I first became aware of it about a week and a half ago while searching for parts for my Honda del Sol; a large number of Web sites promoting various Honda-centric keywords were redirecting to xp-police-antivirus.com (now defunct) and scanany6.com (still active on burst.net), both of which try to download malware disguised as phony antivirus software.
I've also seen similar malware compaigns targeting Nissan.
Interestingly, one increasingly common tactic these guys use is to create profiles on Web sites ranging from open-source projects to community wikis to video sharing sites, seeding the profiles with various popular keywords, then embedding JavaScript redirectors in the profiles that redirect visitors to the malware site. The lesson in here: Webmasters, *never* allow JavaScript in user profiles or other user-supplied fields!
I mean they must be legit right? They look all Windows XPish and all. Besides, it's fun to see all the Windoze spyware and other bad stuff I apparently have on my computer.
It sort of makes me feel like I fit in with the rest of the slavering masses knowing I might have rampant Windows malware infections, even though I am running Linux.
Then I go back to doing real work and chuckle about what a crapfest the Windows monoculture is.
@Goat Jam
You're not the only one mate I had a pop-up last week that informed me that it was scanning my registry for traces of viruses and malware. Then it said it was scanning my C: drive for trojans.
It claimed to find some and I couldn't have been happier. Considering I haven't got a registry or a C: drive, I knew it was absolutel bollocks from the start but it made me laugh like a drain.
I didn't install the "free download" simply because Windows malware can't (easily) be run on OSX!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
