Research: July 2006 Archives

Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

Examples he covered in the article. Ad Injection in bold.

Spyware-Delivered Pop-Up Ads
Direct Revenue
Targetsaver - covering AOL
Targetsaver - covering a sexually-explicit site

Banner Injection Into Others' Properties
Fullcontext - ad injected into
Searchingbooth - ad injected into
Searchingbooth - ad injected into eBay
DollarRevenue - replacing an ad within

Spyware Delivered Banner Farms
Hula's Global-Store

Spyware Lead Acquisition
Direct Revenue - Vendare's Myphonebillsavings
Direct Revenue - NextClick's Phonebillsolution

It is worthy to note that in the first three examples: Google, eBay, and ads are injected above a site.
However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

But what does this mean for people- netizens?

I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.

Click To Enlarge In New Window

While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

What topic did you click? Straight forward. If you can remember. Why not log the topic?

Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.

WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.

Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.
Click To Enlarge Screenshot

How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off

Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. is a common hosting company, and the "tkgroup" appears to be a student class blog.
Click to enlarge ScreenShot

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.
Click to enlarge screenshot

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file

We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.
Click To Enlarge Image

Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:
Click to Enlarge Screenshot

Now let us examine the screenshot of the "decoded" code:
Click to Enlarge Screenshot

Explanation of Code:
The code says if the blog is referred by any of the following major search engines:


Then it will open the URL<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the domain is cloaked through a proxy registration service.

Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.

Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.

Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Some phishing has become so complicated that it no longer needs to steal information from the web, IM or E-mail, but lure users to use phone connections and capture them using phone techniques. (You call a number, they ask you to enter in your account number and PIN and viola- they capture the "tones" made by your telephone keypad input and your account is wide open to the scammer.)

We talked a while ago about the global phishing termination operation launched by CastleCops and Sunbelt Software. The volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops.

Our own Microsoft Security MVP, Chris Boyd, has been participating on the PIRT Squad over at CastleCops and some of the first results are in. CastleCops' operators, Robin and Paul Laundanski, have compiled the list of the top phished brands in May. Here the all-volunteer group of phishing terminators has been having a real impact on phishing. Our own research team follows-up on many of these phish sites and note that many are offline quickly! That is good news...but the battle is far from over. (Other "things" may lurk on the end of these phish attempts, but that is for another entry.)

So without further ado the top brands fished in May:
Pay special attention to how "pure Internet play" brands like PayPal and eBay are the most common targets.

May 2006 confirmed phish (brand plus total count for May):

PayPal - 520
eBay - 309
Bank of America - 37
Barclays - 36
Wells Fargo - 36
Chase - 33
WAMU - 28
HSBC - 20
MasterCard - 18
e-gold - 17
Nationwide - 17
Citi - 16
BancorpSouth - 14 - 12
Halifax - 11
NetBank - 11
Laredo Nat'l Bank - 10
Nat'l Australia Bank - 10
Western Union - 10
National Credit Union - 9

With this early report in mind we have to take into account that Google is now throwing their hat into the e-commerce ring with a service called "Google Checkout". The business implications of this move are very, very complicated and beyond the scope of this entry- although they are important to security researchers too. However, in terms of pure security research the proverbial writing is on the wall...Google and e-commerce will only attract scammers like bears to honey. How successful they will be will depend much on how Google implements the process, their anti-fraud features, and how educated people are on phishing in general.

I admit, especially in my talks and speeches with youngsters, I am quite dismayed at the lack of awareness on Internet safety. That is one area I, and our team, have been pondering.

One of the best forms of defense is very simply- "street smarts". For example, we teach children not to go into dark alleys late at night, actually most parents wouldn't let their children out in a city at night! Yet our digital highways can be dangerous too- often the mediums are treated differently. I plan more on this in the future.

For now, us get back to Google Checkout.

Some of the features of Google Checkout include:

1) Google will store your complete shopping history. This is convenient of course, but remember if you lose access to that account- that history goes with you. This is no different than losing access via a hack to any e-mail account.

2) Google won't share your full credit card number, even with the merchants you buy from. This makes sense, since Google is doing the transaction on behalf of the merchant.

3) Google won't share your email address with merchants if you don't want them to. This is nice- you don't have to worry about getting lots of promotions via e-mail if you don't want.

4) Google will not spam you. Google pledges they will not spam you- great. They never have and I believe that is not in their plans.

5) You can store as many credit cards in Google Checkout as you want! That is where it starts to get a little bit risky.

Now, again, I am not being anti-Google, I am only being a realist. You have a pure play Internet brand, new to offering payment transaction processing to the public at large, prepared to do business en masse. If we look at recent history, like the PIRT report, it only stands to reason that Google, other privacy concerns aside, will experience their fair share of phishing attempts.

For now- use "street smarts". Be wary and be careful.

NOTE: If you are technically adept at handling phishing attempts and want to help by joining the PIRT Squad you can join the team here, if you simply want to report a phishing attempt you can do so by clicking here.


About this Archive

This page is a archive of entries in the Research category from July 2006.

Research: June 2006 is the previous archive.

Research: August 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.