The very latest, and hopefully very last, high profile site to successfully participate in the recently exposed massive SEO poisoning, is UNICEF's official site. In fact the campaign is so successful, where successful means that each and every poisoned result loads the injected IFRAME using UNICEF.org as a doorway to pharmaceutical spam and scams, that one of the most prolific domains within the IFRAMES (highjar.info) is already returning "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later" messages.This is the perfect moment to point out that as of yesterday's afternoon the search engines that were indexing the SEO poisoned pages have implemented filters so that the malicious pages no longer appear in their indexes, thereby undermining the critical success factor for this campaign - hijacking search traffic. Case closed? At least for now, and even though the black hat SEO is taken care of the last time I checked, some of the sites originally mentioned, and many others still need to take care of the web application vulnerabilities.
Tracking this campaign in a detailed manner inevitably results in a quality actionable intelligence data, in between the added value out of the historical preservation of evidence. The malicious parties behind this know what they're doing, they've been doing it in the past, and will continue doing it, therefore it's extremely important to document what was going on at a particular moment in time. It's all a matter of perspective, some care about the type of vulnerability exploited, others care who's hosting the rogue security applications and the malware, others want to establish the RBN connection, and others want to know who's behind this. Virtual situational awareness through CYBERINT is what I care about.Let's close the case by assessing UNICEF.org's IFRAME injection state as of yesterday's afternoon. What is highjar.info/error (75.127.104.26) anyway? Before it felt the "UNICEF effect" in terms of traffic, it used to be a "Easy SEO | A Coaching Site For BEGINNING webmasters". And the last time it was active, the injected redirect was forwarding to ravepills.com/?TOPQUALITY (69.50.196.63) and RavePills is what looks like a "legal alternative to Ecstasy" :
"On the other hand, Rave is the safest option available to you without the fear of nasty side-effects or a long time in jail. Rave gives you the same buzz that the illegal ones do but without any proven side-effects. It's absolutely non-addictive & is legal to possess in every country. Rave gives you the freedom to carry it anywhere you go as it also comes in a mini-pack of 10 capsules."
IFRAMES injected within UNICEF.org :
highjar.info (75.127.104.26)
viagrabest.info (81.222.139.184)
pharmacytop.net (216.98.148.6)
grabest.info
Now that the entire campaign received the necessary attention and raised awareness on its impact, let's move onto the next one(s), shall we?
No comments:
Post a Comment