Sustainable Energy Finance Initiative (SEFI) site hacked via Black Hat SEO attack

Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP).  The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves.  As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.

The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site – sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.

Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.

However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code.  Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.

Trailing through a chunk of the appended code, you can see the use of drug names such as ‘viagra’ and ‘levitra’. These keywords help result in a better search engine ranking.

Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.

At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

How a poisoned Google Image Search redirects the user to download malware on Mac OSX

A picture says a thousand words. And we’ve got a video this time. So, here’s  is a quick video from Internet security firm F-secure explaining how a poisoned Google Image Search redirects the user to download malware on Mac OSX

Google SEO poisoning targets people looking for currency conversion

One of the guys at the North American branch of internet security firm Sophos Labs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.

So he did what any of us would probably do. He Googled it.

215 euro to usd

Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:

It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.

What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.

The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.

The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.

Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.

Chinese search engine Baidu sued by New Yorkers

China’s biggest search engine, Baidu was sued on Wednesday by eight New York residents who accused China’s biggest search engine of conspiring with the country’s government to censor pro-democracy speech, Reuters reported.

The lawsuit claims violations of the U.S. Constitution and according to the plaintiffs’ lawyer is the first of its type.

It was filed more than a year after Google Inc declared it would no longer censor search results in China, and rerouted Internet users to its Hong Kong website.

Baidu did not return a request for a comment.

According to the complaint filed in the U.S. District Court in Manhattan, Baidu acts as an “enforcer” of policies by the ruling Communist Party in censoring such pro-democracy content as references to the 1989 Tiananmen Square military crackdown.

This censorship suppresses the writings and videos of the plaintiffs, who are pro-democracy activists, to the extent that they do not appear in search results, the complaint said.

It also violates laws in the United States because the censorship affects searches here, according to the complaint.

“We allege a private company is acting as the arm and agent of a foreign state to suppress political speech, and permeate U.S. borders to violate the First Amendment,” Stephen Preziosi, the lawyer for the plaintiffs, said in an interview.

Preziosi said the alleged censorship also violates federal and New York civil rights laws, as well as New York’s human rights law, on the grounds that “an Internet search engine is a public accommodation, just like a hotel or restaurant.”

The lawsuit seeks $16 million in damages, or $2 million per plaintiff, but does not seek changes to Baidu’s policies.

“It would be futile to expect Baidu to change,” Preziosi said. The plaintiffs live in the borough of Queens in New York City and on Long Island.

China’s Internet censorship practices are viewed as reflecting its belief that keeping a tight grip on information helps the government maintain control. There have been mounting concerns in China that open dissent on the Internet could contribute to destabilizing the country.

Searches for terms deemed sensitive by Chinese censors are routinely blocked, and search engines such as Baidu voluntarily filter searches.

China also blocks social networking sites Facebook, Flickr, Twitter and Google’s YouTube, and President Hu Jintao has called for additional oversight and “mechanisms to guide online public opinion.

Google effectively pulled out of China last spring by redirecting inquiries on its main Chinese-language search page to a website in Hong Kong, avoiding direct involvement in any censorship by the “Great Firewall of China.”

New SMS Trojan “zsone” covertly sends premium SMS from Android phones to China

Taiwanese security firm, AegisLab has found that Android apps published by “zsone” were embedded with malicious code segments. The apps, which include iBook, iCartoon, iGuide, iCalendar, LoveBaby and Sea Ball, are embedded with malicious code that covertly sends text messages to three different premium-rate numbers without their knowledge or approval.

At least 11 Android apps contain malware that is rigged to automatically send text messages from your Google Android smartphone to phone numbers in China.

Currently the malicious behavior observed by Aegis only works in China, therefore if your location is in China, it is advisable to check your system and see if any zsone’s apps appear on your device.

Below is the list Aegis found that are published by zsone and are suspicious (iSMS/iLife are not included,  still investigating):

iBook

iCartoon

LoveBaby

3D Cube horror terrible

Sea Ball

iCalendar

iMatch 对对碰

Shake Break

ShakeBanger

iMine

iGuide

Recently Juniper Networks released a report that indicated Android based malware are on a sprawl with a 400% increase in just 6 months.  While Google controls the ‘kill switch’ to remotely wipe any malicious apps that are found on Android phones, it still doesn’t have a mechanism like Apple’s Appstore to scrutinize them for malicious code before they land on the Android Marketplace. In order to restrict the sprawl of such malicious apps, Google needs to take measure to prevent them from being published on the Android Marketplace instead of using the kill switch every time a problem is identified.

Mac rogue security software uses search engine poisoning ahead of Mother’s Day

Researchers at SophosLabs Canada have alerted to the world’s first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother’s Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

Windows users aren’t left out… They get their own fake popup, which we have seen all too often.

“The criminals behind these attacks seem to be using Google’s search auto-complete technology to determine the most popular search terms to poison,” explained Chester Wisniewski, Senior Security Advisor at Sophos Canada.

Facebook is the most appalling spying machine: Julian Assange

Julian Assange, the founder of online activist group Wikileaks has asserted that US intelligence and law enforcement agencies have established automated intelligence gathering operations on all major social networks and several of the largest internet-based companies including Facebook.

Assange alleges that the data mining interfaces were implemented with the cooperation of the companies in order to diminish the high costs associated with providing records on an individual basis.

The allegations were levied in an interview with Assange posted by Russia Today:

“Facebook in particular is the most appalling spying machine that has ever been invented. Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo – all these major US organizations have built-in interfaces for US intelligence. It’s not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use,” Assange stated.

Assange’s accusations provide plenty of ammunition for the tinfoil hat conspiracy fanatics, but he stops short of actually claiming that the social network Facebook is actually a front for covert government domestic spying:

“Now, is it the case that Facebook is actually run by US intelligence? No, it’s not like that. It’s simply that US intelligence is able to bring to bear legal and political pressure on them. And it’s costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them,” Assange continued.

The essential question is whether the data harvesting systems have been established prior to the passage of legislative changes to current wiretapping and surveillance laws.

Law enforcement officials claim that investigations are being stymied by the rapid change in communications platforms which have exceeded their ability to effectively execute search warrants in a timely manner.

The advent of new media like social networks, new communications channels like IM, IRC, VoIP, and new devices like smartphones, have rendered current laws governing wire tapping outdated, and officials want lawmakers to narrow the gap by addressing the issue with new legislation.

Assange’s allegations raise the question as to whether law enforcement and intelligence agencies may have established monitoring operations prior to Congressional consideration of the issue.

How to avoid scams and malware during the Royal Wedding

There are few non-sporting events that draw as much attention from all over the world as the wedding of an heir to the British monarchy. When Prince Charles married Diana, television told the story. For the marriage of Prince William and Kate Middleton, the Internet will not only broadcast the images it will also allow us to engage in a global conversation in real-time.

Until the ceremony takes place on April 29 and for a few days after, you’ll probably see the word “wedding” more often than an avid reader of Jane Austen does. Most of the headlines and links featuring “the wedding” will lead to legitimate sites—but some will invariably lead to a variety of scams and malware. This is true when celebrities die, when disaster strikes and you can expect the same when Catherine says “I do” to William.

If you’re actively avoiding the wedding, you’ll avoid most of the risks. But for you royal watchers out there, here are a few tips for avoiding digital wedding crashers from F-Secure:

1. Follow the official site, Twitter, Facebook, Flickr and YouTube pages.

• http://www.officialroyalwedding2011.org/
• http://twitter.com/clarencehouse
• https://www.facebook.com/TheBritishMonarchy
• http://www.flickr.com/photos/britishmonarchy/
• http://www.youtube.com/user/TheRoyalChannel

These official sources are going your safest sources of information. Of course, users can post links in the comments. So avoid links users post unless you trust the domain being linked.

2. Search for Royal Wedding news using Google and Bing’s News Filters.
Google has recently changed its algorithm to deliver safer, higher quality results. However, during breaking news rogue sites use the dark arts of search engine optimization to zoom up search results. This doesn’t happen, however, in Google and Bing’s news sites. Why? The news sites listed there have all been vetted and verified. Click on news, if it is available in your area, and click without worry.

3. Make sure your PC is patched and protected.
Every month, at least, Microsoft, Apple, Adobe and the world’s biggest software makers release updates to their products that plug security holes. These updates are often crucial for your online safety.

Google along with 20 firms stand against French Data Law

Tables have turned in France where once the French privacy watchdog, CNIL, fined Google £87,000 (which was also the largest ever fine handed out by CNIL) when it accidentally collected personal data during the setting up of its Street View service.

Even Facebook was forced to overhaul its privacy settings following criticism that they were too complex.

Now, the French government is planning to keep web users’ personal data for a year. The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded. Police, the fraud office, customs, tax and social security bodies will all have the right of access.

More than 20 firms, including French online video firm, Dailymotion, Google and eBay.

The legal challenge has been brought by The French Association of Internet Community Services (ASIC) and relates to government plans to keep web users’ personal data for a year.

In an interview with BBC, ASIC head Benoit Tabaka said that he believes that the data law is unnecessarily draconian. “Several elements are problematic. For instance, there was no consultation with the European Commission. Our companies are based in several European countries. Our activities target many national markets, so it is clear that we need a common approach,” said Tabaka.

ASIC also thinks that passwords should not be collected and warned that retaining them could have security implications.