Today, we’ll expand on our previous post which described SEO poisoning. Hackers are using this relatively new technique to lure users into visiting malicious websites with a vengeance.

SEO poisoning is a method by which hackers can get a malicious link or URL, indexed by a search engine. When users search for terms that match the context of the malicious link, unsuspecting web surfers are often shown malicious links which divert them to harmful websites that can attempt ID theft, install malware, or worse. SEO poisoning is definitely a growing trend. It is becoming a vector of choice for hackers.

How Does It Happen?
A malicious hacker will try to find a vulnerability in the website (XSS and SQLi, for example) or hosting infrastructure which will allow upload of malicious code or modification of the behavior of the web application. Once this is achieved the hacker can insert malicious URLs into the web page which will be indexed by search engines such as Google.

Hackers can compromise a website using trojans or spyware installed on local computers which are used to make FTP connections to the website. This has been the case with the “Gumblar” variety of attacks, the Media-Temple attacks and the generic “Fake Anti-Virus” attacks which have also been escalating in the past few months. Some of the websites involved with the Fake Anti-Virus attacks link to x3y.ru, a3h.ru, before-life.ru, snoreflash.ru and may more.

Analysis
The screen shot below illustrates a recent instance of hackers using popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query was most likely extracted from Google Trends.

Miss Universe 2010 search results being SEO poisoned

We can see that search results for Miss Universe 2010 tickets have been SEO poisoned by malicious hackers. The query results clearly show URLs which redirect users to Fake Anti-Virus websites. Unfortunately, not all of these URLs are were blacklisted by Google leading users to visit an unsafe website with no warning whatsoever.

Combating SEO Poisoning
Hackers now have access to point-and-click SEO poisoning toolkits. Some of which are increasingly sophisticated.

The basic steps that these tookits perform are detailed below:

• Find unsecured websites.
• Exploit vulnerabilities and install the entire toolkit (similar to Beef).
• Scrape Google trends, or contact Command and Control servers to find hot search topics.
• Use Google or another search engine to download legitimate content associated with the search terms, copy the content to malicious pages, which GoogleBot then indexes when it visits the infected site.
• Search engines direct users to fake Anti-Virus or infected sites.

This problem is growing everyday. It is an attractive attack vector for malicious individuals, and hence continues to be exploited often. We will be keeping a close eye on trends related to SEO poisoning.

Till next time…

Report, Security google trends, hijacking, miss universe 2010, seo, seo poisoning

Services like Posterous have changed the way Internet users post information about themselves, their likes, and their dislikes. Posterous follows a very simple model.

A user simply needs to send an email to post@posterous.com and they can attach files, such as music that they like, and post it to their personal page. Its very easy to use. You can literally create your own page with a single email. Posterous has already chalked up thousands of avid users.

Motivation
The goal of this article is to highlight how a service like Posterous needs to harden itself against misuse by malicious individuals and groups. We will be exploring some of the potential loopholes of the posterous model. We will not be discussing or revealing any exploit code.

Exploring this facet of services like Posterous helps uncover the various attack surfaces that malicious entities can use to compromise such an excellent service. Through this exercise, perhaps we can help services like Posterous improve upon their existing architecture.

Methodology
We will use the following metrics to determine the safety of Posterous’s current service.

1. Can we post with an email where the originating server IP does not match the sender’s domain?
2. Can we post a malicious link (hyperlink)?
3. Can we post a malicious iframe?
4. Can we post a malicious script?
5. Can we post a malicious binary?

Before we proceed, we will outline how the experiment was set up. A new account was set up using an email sent to Posterous (by new account, we imply a new blog post, not a registered user account).

Once the blog post was created we analyzed the it to see if the content in the outgoing email to Posterous was actually present in the blog post. If the content was in the post, we analyzed it to see whether it was modified or not. The experiment was conducted on Friday, July 9, 2010.

Analysis
Now we will describe the results of some of the tests that we conducted.

1. Can we post with an email where the originating server IP does not match the sender’s domain? Yes
2. Can we post a malicious link (hyperlink)? Yes and No
   • For unregistered accounts, it seems that a hyperlink is prefaced with http://emailusername-kb3zz.posterous.com/ so a malicious link will not be triggered.
   • For registered accounts, it seems you can put up links without this prefix. We have confirmed posting of malicious links with examples from Malware Patrol, Google’s Safe Browsing List and others.
   • Update: Gary Tan from Posterous let us know that they are using link pre-filtering and will be expanding their capabilities by incorporating more lists. This is good to hear.
3. Can we post a malicious iframe? Yes
   In fact an iframe can be posted from non-registered mode. This is a mechanism that a bad guy might try to exploit (screenshot attached below, of course, its a benign iframe).
   • Update: Gary Tan from Posterous let us know that they prevent iframe posts from taking up the full page by sanitizing size attributes, mitigating the main problem with iframes.
4. Can we post a malicious script? No
   Posterous scrubs scripts attached to the email and does not let them post to the blog. It remains to be seen though, if any malicious encoding would allow a script get through.
5. Can we post a malicious binary? Not tested

Note: No malicious content (iframes, scripts, binaries) was ever uploaded to the blog during testing.

Conclusions
We have seen that there are some attack vectors which malicious entities could employ against services like Posterous as a tool to spread malware: primarily, the use of iframes and malicious links.

Even if Posterous begins to pre-filter links, as we have shown in a previous article (Analyzing URL Shorteners), these services are a thorn in the side of security policies. Unfortunately, as each new service like Posterous comes to life on the Internet, so do new attack vectors for malicious entities.

Till next time…

Update: Gary Tan from Posterous was kind enough to swiftly reply back to our questions and provide good information (Monday, July 12, 2010). Our findings have been updated appropriately.
Read more…

Report, Security iframe, posterous, sanitization', scripts

YouTube is reported to have been hit by hackers. They have exploited a loophole in the way YouTube lets users post comments. More information can be found in the Google Support Forum and on Slashdot.

Analysis
It seems that when someone places a piece of JavaScript in the comment section, beginning with the <script> tag, YouTube’s comment sanitization policy correctly escapes the <script> tag itself. Unfortunately, the data which follows this tag is not removed, but is displayed on the screen. This allows a clever hacker to inject HTML directly into the page, modifying the page itself and allowing all types of security issues.

This incident highlights the impact of security issues like Cross Site Scripting (XSS). These vulnerabilities should not be treated lightly, since a Web Application Filter (WAF) cannot protect you from new attacks like this one. WAFs can only protect you from what they already know.

About stopthehacker.com
At stopthehacker.com, we work hard to help you combat attacks by malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you. In fact, you can even sign up for our Free Blacklist Monitoring service!

Report, Security sanitization', XSS, youtube

Building on our first article in the series, we continue to analyze the Google Safe Browsing List. In this part, we present more detailed statistics about the hashes seen on the blacklist and try to provide insight into what we observe.

Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

News, Report, Security analysis, blacklisting, google, malware, monitoring

Google’s efforts to clean up the Internet and provide a useful advisory to Internet users has been very successful. Nearly every modern browser now incorporates Google’s Safe Browsing List information, to prevent users from inadvertently visiting malware infested websites and phishing websites.

Motivation
In this article we will be analyzing the Google malware hash lists that have been published over the past few months in order to answer these important questions:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?

These are practical questions which are often posed by frustrated, sometimes confused and angry website owners, time and time again at help forums, and via our contact page.

Resources
Google has done a good job creating detailed help content describing the process of blacklisting, as well as a group where website owners can ask for help. Additionally there are excellent resources like BadwareBusters where users can find volunteers to help them. We also participate in these groups.

Yet, there is still a demand for getting clear cut answers to some basic questions like the ones detailed above. In this vein we want to provide scientifically sound and statistically significant analysis of freely available information to provide clear answers to these questions. A small FAQ is also available on our site to answer questions from website owners and admins.

Goals
This series of experiments is split into multiple parts. This article presents a first look (part 1) at openly available data. The goal of the experiment is to understand:

• How many websites get blacklisted each day?
• How many websites manage to get off the blacklist?
• How soon do websites get off the blacklist?
• How many never get off the blacklist?
• How many websites fall back onto the blacklist?
• How much time elapses before a website falls back into the blacklist?

Methodology
For the purposes of this experiment, Google malware hash lists were collected from March 3, 2010 to June 1, 2010 (113 days). Malware hash lists were collected every 30 minutes. Each malware hash list contains the information in the Google malware hash specification. All hash lists were parsed and unique hashes were extracted and time stamped, and correlated with the malware hash list version.

Subsequently an analysis was conducted to answer the questions posed above. At no point was an attempt identify a website name from the hashes. Also, note that a single website can have more than one unique hash. For example: “www.abcd.com”, “abcd.com”, and “www.abcd.com/infected/” can all generate different hashes.

Brief Highlights

• Total number of unique hashes tracked: 688,602.
• Average number of unique hashes per day (over 113 day period): 6093.
• 25.8% of hashes never got off the Google blacklist.
  Each one of these unique hashes was deemed infected for over 3 months (greater than 113 days).
• 43% of hashes were listed exactly once as infected and managed to get off the Google blacklist.
  The average time each of these hashes was blacklisted was 13 days (89 days max).
• 2% of hashes were blacklisted exactly twice.
  Each one of these hashes was blacklisted, was then removed from the blacklist and then fell back in (the sites were hacked again). These sites remained infected for an average of 19 days (89 days max), and remained clean for an average of 17 days before being hacked again.

Analysis
It is clear from these initial results that a very large number of websites, nearly one quarter of the 6000 hashes added per day never make it off the Google blacklist. There are a number of reasons for this. One being that most webmasters, who may be good at website design and layouts, may not have the technical skills which are required to clean websites infected by malware and code injection attacks. We have also met website owners who are extremely business savvy, but lack the technical expertise to recover from a blacklisting event. The income lost due to business interruption in these cases is considerable.

We see that 43% of websites which get blacklisted manage to make it off the blacklist, but these websites suffer for an average period of 13 days.

Some websites manage to get off the blacklist and then fall in again. The average time for these “repeat offenders” on the blacklist is larger than the previous case. The time for which these “repeat offenders” stay clean is not very high, an average of just 17 days.

Conclusion
These numbers clearly show the current sorry state of website security. It is unfortunate that thousands of websites are affected every day. At stopthehacker.com, we strive to help combat this trend.  These issues need to be addressed specifically by services that currently are not readily available to the masses. To address this vacuum in the service space, and disrupt the security market stopthehacker.com provides its advanced Health Monitoring and Vulnerability assessment services for website owners. Our services take away the anguish which business owners face when their websites are attacked. Please visit our services page to find out how we can help you. In fact, you can even sign up for free services.

Further detailed analysis will be presented in the second part of this series. We will show detailed analysis of the data and will provide more insight on the implications of these observations.

Stay tuned for Part 2!

News, Report, Security analysis, blacklist, google, malware, monitoring

This morning, a close friend of mine pointed me to some interesting documents on the American Express website. These documents seem to be leaking sensitive information including detailed activity for a corporate purchasing card.

The documents clearly show the amounts, the specific merchants, dates, and places where the transaction was made and more. The documents include a complete Microsoft Office Excel breakup of the charges, with account numbers and other details. These documents were not password protected or on a protected website, they were completely in the open, no authorization needed.

We notified American Express of these details of via their online contact form (which is available after you log into their system), at approximately on June 7th, 2010, at 9:17 AM PDT. The files were still available on the American Express website as of June 7th, 2010, at 9:28 AM PDT.

We’re curious if these are fake documents deliberately put out on the site. If they are, it would be interesting to know why they have chosen to do so.

We hope someone at American Express will take notice of this important issue. As previously mentioned, American Express was contacted prior to this posting. (Edit: See the reply from American Express below.)
Read more…

News, Report, Security amex, credit card, leak, statement

Most websites and services today use some kind of framework, based on modern languages such as PHP, Ruby, Python and others. This has allowed many individuals to host arguably complex websites. This can be a good thing except when it comes to the fact that many website owners do not pay sufficient attention to the security of the software packages and do not beef up the default configurations from those set out-of-the-box.

More importantly, some webmasters are not even aware of the various misconfigurations which may leak sensitive information about their website and customers over the web.

Overview

This article is written to raise awareness of misconfiguration related to the domains they manage so more webmasters will pay attention. From our interaction with webmasters, we understand that they are already bogged down with many maintenance duties. However, the fact remains that misconfiguration errors, when left unaddressed, can spew important information into the hands of malicious persons.

An Example

Consider a website that we analyzed a few days ago, the URL looked like this:
hxxp://www.[scrubbed].net/forms/[scrubbed]/[scrubbed]/simple.log

This particular page was listing all email addresses that were registered on the website. These registrations may have been as a result of user requests to be put on a weekly newsletter of some sort. The page listed 623 email addresses, including addresses belonging to .mil, @gmail.com, @yahoo.com domains and more. The server was running an Apache/1.3.41 Server.

Conclusion

Though this incident may not have caused direct harm to the website, it is definitely undesirable to have an email address list laying out in the open. It only serves as fodder for spam bots and malicious persons to launch social engineering attacks.

In conclusion, webmasters, please do not leave your software installations in their default settings, and do pay attention to misconfiguration and other errors.

Report, Security email, error, misconfiguration, spam

Search engines like Google drive the majority of traffic to websites. Therefore, it is important for webmasters to appear high on search rankings and prominently in search results. To this affect website owners often spend large sums of money on Search Engine Optimization (SEO) strategies: using the right keywords, getting linked to by popular sites, getting a dialogue about the website going on good forums and much more.

Overview

The popularity, relevance and importance of a website, which determines where in the search rankings it should appear, can simplistically, thought to be represented by one magic number: the Google PageRank. This article is not about how to calculate, improve or tune your Google PageRank.

This article will discuss how a hacker can break into your site, without you knowing and reduce your Google PageRank, thereby making your website plummet from the top rankings in search engines, making your business lose money and visibility.

An Example

On May 7th, 2010, we reviewed a compromise of one of many sites we scan on a daily basis. This site was attacked by a hacker who had exploited a vulnerability in the web application used to host the website. Once the hacker had identified the specific vulnerability, which was WordPress based, he injected spam links into the source code of the pages on the site.

All the spam links are nicely placed after the main body of the legitimate HTML portion and even starts with a comment tag “<!– google –>”!

Malicious spam links injected into the website.

Conclusion

The affect of this spam link injection was that the PageRank of the legitimate site was potentially reduced since many links on the website now pointed to spam or malicious pages. This could result in lower positioning in search results as displayed on various search engines. This is yet another case where webmasters and administrators, who are already overloaded with many tasks, were either unaware or could not pay attention to the security breach.

At stopthehacker.com we are always available to help. If you have suffered from a breach of this kind and would like to share your experience, please contact us.

Report, Security google, link spam, pagerank, seo, seo poisoning

Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.

Overview

This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

An Example

Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

Website name: ipac-bd.org
Time of latest scan: 15:33:10 PDT on 2010/05/03

In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

The “Backup” Strategy

Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

Frequency distribution of infected websites used in the transmission of malware.

Read more…

Report, Security document.write, hackers, injection, malware, script

Blacklists are published by many security groups and organizations around the world to share knowledge about malicious websites, IP addresses and other security features which allow others to insulate themselves from the dark side of the Internet.

In recent years, the number of blacklist being published by web-centric organizations have grown by leaps and bounds. Large Internet based companies such as Google, Yahoo and Microsoft have been providing cues to their users about malicious websites in trying to make the Internet a safer place. Google provides much more in-depth information than the other two, Yahoo and Bing, and seems to have sophisticated virtual machine based analysis tools which can detect misbehaving malicious code. Yahoo employs McAfee’s Search scan service while Bing potentially uses Microsoft specific technologies.

Experiment Goal

The aim of this experiment is to compare the coverage for each of the blacklists published by Google, Yahoo and Bing and compare them to what users in the Internet believe. To do this we will compare the results of Google, Yahoo, Bing and Malware Patrol with Web of Trust (WOT). Furthermore, we have also tried to see how many of these malicious URLs are also involved in Phishing. We have done this by looking up each URL/domain via Phishtank’s API.

Blacklists provide an easy mechanism for users (via browsers) and developers (via APIs) to assimilate security information about websites, IPs and such in order to make an informed decision about whether to allow or deny access to an IP or website.

Methodology

We have collected 1095 confirmed malicious links from MalwareURL. Each of these links was tested to determine if they are listed on blacklists supplied by Google, Yahoo and Bing. Note that Yahoo and Bing unlike Google do not provide any direct APIs to probe their databases. Thereby each link, and its associated domain was pushed via an HTTP request to Yahoo and Bing to analyze if the results indicated that the domain/link was infected.

To determine if a website is present in the Google malware blacklist, the domain name along with the link and its variations, as defined here, are converted to MD5 hashes and checked using Google’s Safe Browsing API. For Malware Patrol, the aggressive version of their blacklist is downloaded and comparisons are made locally. For WOT, we employ their XML based API to gather information about the belief of users in the Internet. For Phishtank we have used their XML based API. The tests were conducted on Mar 22 2010.

Popular blacklists cover only a minuscule percentage of malicious sites.

Highlights

• Google marked 0.18% of the URLs as unsafe.
• Yahoo marked 1.0% of the URLs as unsafe.
• Bing marked 0.09% of the URLs as unsafe.
• Malware Patrol marked 0.63% of the URLs as unsafe.
• Phishtank marked 0% of the URLs as unsafe.
• WOT marked 99% of URLs as unsafe.

Note: 1095 unique, malicious URLs were tested with each service.

Observations

Interestingly, Web Of Trust (WOT) marked 99% of the URLs with “poor” or “very poor” or “unsatisfactory” reputation. We have to assume that when users will see such a rating they will not visit the website in question and hence treat this kind of rating as unsafe, for the purposes of this test. It remains to be determined if WOT uses a data feed from a malware URL which we have used to prime the test set. Nonetheless, it is surprising to see that a company which specializes in collating the trust and opinions of web surfers performs better orders of magnitude than large Internet companies and established blacklist providers.

One must keep in mind though that Google’s approach to maintaining an ever changing blacklist is slightly different from the other actors in the game. Google publishes an updated version of its list every 30 minutes or so and specifies which MD5 hashes need to be purged and which ones need to be inserted. Some blacklist services do not take this approach and hence may claim to store information on millions of sites, which were infected at one point in time. The probability of this happening in the Google blacklist is low, because they have opened up a review process via their webmaster central area to update their blacklist.

In contrast, Bing and Yahoo do not provide public APIs for developers and applications to use.

Also, we see that none of the URL/domains were actually listed on Phishtank. It seems that websites which aim to infect users with malware are quite different from the set of sites used for phishing. It does not seem that malware laced websites are also used to commit phishing.

Conclusion

Large Internet companies, some of whom have published effective blacklists, used by many developers and application all over the world, still have a long way to go in order to become truly effective. As we have seen, only minuscule numbers of malicious websites are identified by the blacklist services. WOT seems to be extremely effective at identifying unsafe websites. It remains to be determined whether the data-set used for this test has a large overlap with any of the sources WOT uses to classify websites.

Another interesting result is that it does not seem that websites which aim to infect users with malware are actively involved in phishing campaigns.

Report, Security bing, blacklisting, google, wot, yahoo