Sustainable Energy Finance Initiative (SEFI) site hacked via Black Hat SEO attack

Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP).  The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves.  As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.

The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site – sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.

Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.

However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code.  Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.

Trailing through a chunk of the appended code, you can see the use of drug names such as ‘viagra’ and ‘levitra’. These keywords help result in a better search engine ranking.

Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.

At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

How a poisoned Google Image Search redirects the user to download malware on Mac OSX

A picture says a thousand words. And we’ve got a video this time. So, here’s  is a quick video from Internet security firm F-secure explaining how a poisoned Google Image Search redirects the user to download malware on Mac OSX

Google SEO poisoning targets people looking for currency conversion

One of the guys at the North American branch of internet security firm Sophos Labs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.

So he did what any of us would probably do. He Googled it.

215 euro to usd

Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:

It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.

What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.

The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.

The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.

Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.

Osama Bin Laden dead but new malware born

Google’s top-trending Anglophone search term right now is, understandably, “osama bin laden dead”.

Google officially describes its hotness (you couldn’t make this stuff up) as volcanic.

According to President Obama’s statement, “On Sunday, a ‘small team’ of Americans raided the compound. After a firefight, they killed Bin Laden. Apparently, DNA tests have confirmed Bin Laden’s identity.”

Now you know the basics – but watch out for the links you’re likely to come across in email or on social networking sites offering you additional coverage of this newsworthy event.

“Many of the links you see will be perfectly legitimate links. But at least some are almost certain to be dodgy links, deliberately distributed to trick you into hostile internet territory. If in doubt, leave it out!” warns Paul Ducklin, Sophos’s Head of Technology, Asia Pacific.

Sometimes, poisoned content is rather obvious. The links in the spam below give the impression of going to a news site:

The links don’t go anywhere of the sort, of course. Wherever you click, you end up finding out how to replace your tired old windows:

But even well-meant searches using your favorite search engine might end in tears. What’s commonly called “Black-Hat Search Engine Optimisation” (BH-SEO) means that cybercrooks can often trick the secret search-ranking algorithms of popular search engines by feeding them fake pages to make their rotten content seem legitimate, and to trick you into visiting pages which have your worst interests at heart.

Well-known topics that have been widely written about for years are hard to poison via BH-SEO. The search engines have a good historical sense of which sites are likely to be genuinely relevant if your interest is searches like “Commonwealth of Australia”, “Canadian Pacific Railway” or “Early history of spam”.

But a search term which is incredibly popular but by its very nature brand new – “Japanese tsunami”, “William and Kate engagement”, “Kate Middleton wedding dress” or, of course “Osama bin Laden dead” – doesn’t give the search engines much historical evidence to go on.

Of course, the search engines want to be known for being highly responsive to new trends – that means more advertising revenue for them, after all – and that means, loosely speaking, that they have to take more of a chance on accuracy.

What can you do to keep safe?

* Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.

* Use an endpoint security product which offers some sort of web filtering so you get early warning of poisoned content.

* If you go to a site expecting to see information on a specific topic but get redirected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” dialog – then get out of there at once. Don’t click further. You’re being scammed.

Royal wedding scams surface ahead of Prince William and Kate Middleton’s Wedding

One of the most common ways to propagate malware through social engineering is to piggyback it on some attention-catching news event. Millions of people these days are scouting the web to get the latest updates as there just 8 days to go for the big day, the royal wedding of Prince William and Kate Middleton and that’s what scamsters are targeting.

The royal wedding is fast becoming a major international event. As modern technology enables people worldwide to follow the young couple and impending wedding festivities closer than ever before, this is truly an “e- Royal Wedding!”

A new study from Norton (Symantec) shows people are flocking to follow news of the royal wedding all over the world.

In fact, 62percent of Americans surveyed said they are likely to follow the British royal wedding, with32 percent of those already keeping up with the royal wedding news at least every few days (some as often as once a day, or even multiple times aday!).

As the big day nears and media attention increases, people will look to online searches and outlets to keep up on all-things “Will & Kate.”

Of respondents,38 percent will be going online for their royal wedding news; more than a quarter will be watching the wedding on a computer, laptop or mobile device live or after the fact, and 53% will potentially share their thoughts about thewedding online.

Online wedding-followers and well-wishers need to be cautioned that this global event is –as other major global events have done previously – attract cybercriminals looking to capitalize on the deluge of online activity.

When searching keywords relating to this event (e.g., “middleton wedding dress idea”) in your search engine, malicious links are among the top results. And the category of malware which sits behind them hardly comes as a surprise – rogue anti-virus apps.

Here is a quick check-list for those royal wedding fans to help them steer clear of cybercriminals:

• Think before you click – Beware of emails or links that promise “leaked” footage, offer “scandalous” pictures, or purport to have “secret” information. Cybercriminals take advantage of sensational and shocking headlines to get you to click on links that could infect your computer.
• Go with what you know – While any site could potentially be risky, it’s best to avoid clicking on sitesyou’ve never heard of that show up in your search results. Stick to theofficial royal wedding website or go directly to reputable news sites to getthe latest news and videos of the wedding.
• Protect your computer– Use trusted security software on your computer to block threats and make sureyou’re keeping it up-to-date.