Popular Internet websites are a good place to advertise and therefore a target for spammers. Large throngs of visitors who view content on popular sites are the main draw. Spammers use vulnerabilities in message boards and forums to insert spam advertisements.

This “malvertising” is bad for the reputation of the website in question and because it opens up a Pandora’s box of security issues if a visitor decides to follow the link in the advertisement. In this short article we try to determine if certain subsets of the most popular 1 million Internet websites are more vulnerable to attack by spammers.

Experiment Goals

• Where are the spammers targeting their efforts?
• What kind of websites need to put more effort into stopping spammers?

Methodology

We obtained a list of the top 1 million websites from Alexa. We partitioned the list into 3 equal parts, designated as “top,” “middle” and “low” websites. From each subset, we randomly selected 1000 websites and determined if they were hosting spam advertisements.

To determine whether a site was hosting spam advertisements, we queried Google and other search engines with a list of keywords suggesting pharmacy spam (e.g. “buy Kamagra cheap” and “no prescription needed”). Once a website was found to include spam advertisements, the suspect pages from that website were downloaded to ensure that spam advertisements were indeed present.

Interesting Results

• The “top” tier was responsible for 9% of sites hosting spam ads.
• The “middle” tier was responsible for 4% of sites hosting spam ads.
• The “low” tier was responsible for 3% of sites hosting spam ads.

Conclusion

It is surprising to see that “top” ranking websites were more than twice as likely to have spam advertisements on their web pages than “middle” or “low” ranking websites.

It could be that spammers prefer to concentrate on the most popular sites versus the not-so-popular ones or that popular sites have more discussion/message boards that can be exploited. This question could be the basis of a more in-depth study of this phenomenon.
Read more…

Report, Security alexa, online pharmacy spam, spam, top, websites

Malicious hackers have, for many years, been offering services to unscrupulous individuals and companies for monetary compensation. With the growth of Email Spam advertising everything from medical supplements to cars and lottery tickets, email scrubbers and filters have taken the game up a notch by implementing ever increasing layers of complexity to cut down on such spam. In turn, hackers have started to focus on advertising spam, such as medication and fraudulent scams by compromising web-based message boards and forums.

Hackers employ two basic techniques:

• Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
• Exploiting Web Application vulnerabilities in the software used to run the forum.

Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.

The aim of the experiment:

• What percentage of websites which advertise online pharmacies are message boards and Internet forums?
• What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?

We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.

Testing methodology:

We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.

The test was conducted between January 21st and January 23rd, 2010.

Popular software packages installed on compromised forums and message boards.

We present the most interesting results below:

• 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
• None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
• 20.28% of forums displaying “online pharmacy” spam were using Jquery.
• 15.73% of forums displaying “online pharmacy” spam were using phpBB.
• 11.54% of forums displaying “online pharmacy” spam were using WordPress.
• 10.84 % of forums displaying “online pharmacy” spam were using Mootools.

These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.

This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.

Read more…

Company, News, Report google, malware, online pharmacy spam, safebrowsing, spam