McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 


McAfee Research Blog

Went Looking for IE Exploits in “Haiti”, Found Something Else

January 17th, 2010
Posted by Craig Schmugar

In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge.  Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an unpatched Internet Explorer vulnerability and Haiti-related web content.

I figured a good place to look for attackers is by Googling the most popular search terms of the day.  It’s been a while since I last researched search engine manipulation.  As expected it was quite easy to find high ranking search results for Haiti-related terms; the vast majority led to rogue antivirus malicious sites, similar to earlier blogs.  I did not come across any sites exploiting the recent zero-day IE vulnerability.  However, I did come across plenty of Clickjacking, but not just Clickjacking, they have incorporated Google Trends, Digg.com, Blackhat SEO, and Clickfraud as well.

Here’s the apparent flow of the attack:

The attacker finds a hot search term using Google Trends or some other keyword tracking site (and perhaps anticipates term variations):

Next, they create the malicious web page (more below) and submit an entry to Digg.com using the same title, and a description that includes a bunch of relevant terms.  They also Digg the story (+1):

Seemingly the affiliation with Digg.com, the association of the title (taken from Google Trends), and description help boost the ranking in Google’s search results:

When a user following the link on Digg.com, they are taken to a generic website, enticing them to click on a “Play” icon.

What the user doesn’t see is the content that sits behind the image.  When a user clicks on the image, that click is passed along to an advertisement delivered through Google’s ad network (note the sites in the image below are potential victims here too as they could be charged for “unwanted clicks” on their ads).

This form of Clickfraud can generate money for the attacker.  If this fraud goes unnoticed, the advertiser would likely pay a referral fee to the attacker.

The web server shows many search terms seeded this way, including several related to Haiti:

  • haiti-breaking-news
  • haiti-earthquake-damage
  • haiti-earthquake-info
  • haiti-earthquake-relief
  • haiti-earthquake-time
  • haiti-pact-with-the-devil
  • haiti-pat-robertson
  • haiti-relief-effort
  • haiti-support
  • haitian-earthquake-relief
  • haitian-relief-efforts
  • hatia-earthquake-pictures

I should note that this isn’t so much a Haiti-targeted attack, but rather an attack targeted at any popular topic on the web right now.  In fact, they’re poisoning the term “internet security 2010 virus removal”, which exists because web users fell victim to rogue antivirus software, some undoubtedly due to the same type of search engine poisoning.

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.