- The World Cup- The Internet "Red Card"
The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.
Overview: The "Simple Scenario"
1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.
3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.
4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.
5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.
The World Cup
This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.
Flow Chart Sample of Events
To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.
Deceptive Mass Spamming Distribution
Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.
Search System Pollution
WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..
Research: How Did This Happen?
While searching for the keyword “World Cup 2006” in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.
Note on Search Engine Results:
Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.
In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page…etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.
How Did this Page Get to the Top?
Redirection and Misdirection Over Time
Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.
At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now “Adult DVD Download Network” IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.
In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.
From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.
In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.
The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.
Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.
We Just Wanted the World Cup
In the sample query illustrated by the packet logs above our researcher, searching for “FIFA World Cup 2006”, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.
In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.
Click To Enlarge Image
Past History of Problems
It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.
EULA Red Flags
In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.
See one EULA Analysis Sample
By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.
Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.
Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level
Technical Background: How Did Blogspot Do This?
Now let us examine the screenshot of the "decoded" code:
Explanation of Code:
The code says if the blog is referred by any of the following major search engines:
Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.
However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.
Controlling the Deceit
In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.
It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.
Why Use Blogspot?
Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman’s concern about blogspot will help us understand why this case is important. From his article:
Why MSN Search?
As researchers, we might ask: "Why would someone target the MSN search system?"
The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.
Examples of tainted URLs are:
(Note: After contacting Google last week- these are now offline!)
.Are There More?
Yes. One such instance was found for the keyword "AIRLINE TICKETS".
These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.
List of the following blog URLs for the keyword "AIRLINE TICKETS".
Conclusion and Final Notes:
A solution was already offered by Ben Edelman:
In terms of football (soccer) this is the equivalent of a "Yellow Card".
We must add the following caution and warning on the tactical approach.
In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.
Let us explore a "what if" scenario...
What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.
To use our football analogy again- this is a "Red Card".
The problem has been pointed out before- history should be the teacher.
Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher