The Un-Official Proxomitron Forum
Malware distributed via search engine sponsored links - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: Privacy/Security/Spam (/forumdisplay.php?fid=10)
+--- Thread: Malware distributed via search engine sponsored links (/showthread.php?tid=955)



Malware distributed via search engine sponsored links - elshaddai - May. 01, 2007 12:00 PM

Malware distributed via search engine sponsored links

Posted by Rene Millman at 12:01PM, Monday 30th April 2007
Hackers are turning to sponsored links on search engines, such as Google, to spread malware to unsuspecting users.




Cyber criminals are using Google Adwords to infect unsuspecting users, security researchers have uncovered.

According to security software developer Exploit Prevention Labs's team of researchers, malware is being distributed under the guise of adverts for legitimate, trusted organisations. Instead of connecting to these legitimate sites, users are redirected to malicious sites that attempt to install exploits and other malware.

"We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place," said Roger Thompson, chief technical officer at Exploit Prevention Labs. "Since 10 April, our community intelligence network has been finding exploit detections seemingly at household name sites like the Better Business Bureau and cars.com but are actually coming from a place called smarttrack.org masquerading as one of the legit sites."

He said that researchers at the company discovered that one of these rogue links was the number one sponsored link when people entered the phrase BetterBusinessBureau into Google - (link here).

While users eventually get directed to the legitimate site, it takes the unwary user through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on the user's system. "The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim," said Thompson.

He said that while links to malware sites are nothing new, it does highlight a significant issue. While passing the mouse arrow over a normal result shows the URL a user is about to click on, no URL preview is shown on sponsored links.

"This means that a user has no clue where she is about to navigate to," said Thompson. "Savvy search engine users will know that often these sponsored links will take you through a 'Click-manager' or other advertising service and so seeing your browser pass through smarttrack.org will appear benign enough."

He said that Google has since terminated that particular Adwords account but the researchers have found another 20 different search strings that resulted in links to smarttrack.org. "It is not yet clear if all the links have been cleared up," he said.