Google Trends and EDU domains used by Black Hat SEO |
| Written by Kimberly | ||||
| Wednesday, 02 December 2009 | ||||
Page 1 of 2
Yesterday I was kind of surprised to see an edu domain being used in the SEO poisoning attack via Google Trends keywords. I decided to see if more universities were involved in spreading those fake web pages leading to online scanners and search engines.
All the links on the first Google page, except the last one, redirect people to either website displaying other links and redirecting people to fake online scanners or to search portals or occasionally back to Google if you did hit a second time the same domain.Others lead to a guestbook containing weird posts. Those guestbook websites all have one thing in common: they offer different links to playlist.com, a music website where people share, create or build a playlist. Following the links leads us to cheaperstoreus.com which acts as rotator. A rotator is a link to a Traffic Management System and it will point users to different destinations each time the link is requested. They might also include the name of the group spreading the malware or a campaign ID. Rotators typically look like: www.example.com/in.cgi?migenteFrom there the victim is redirected to a search portal called trafftons.com with a query for p0rn video clips. Don’t bother following the links; they go either to an online scan or to adult content websites such as xxxblackbook.com where you have to sign up to get access. But a couple links did catch my attention as they start a custom Google search query for “Rachel Uchitel pictures”. More … this custom search has a Google Adsense Publisher ID - pub-7411906915148435 - which means that the owner gets money. The Adsense ID is linked to websites and this one is associated with 2 domains: knol.google.com and usanewsads.com according to adsspy.com A search on the Adsense ID did bring up an interesting article on the Unmask Parasites Blog about Black Hat SEO. Some of the links advertise a Youtube video, yet another way to make some bucks. Most of them lead to solacemovies.com or hotshootnews.com. Both websites ask the user to install Hotbar, ShopperReports and Seekdns in order to get access to the movie. Other websites will ask you to complete a survey conducted by cpalead.com before allowing access to the page. If the offer does not apply for your geo location you will be redirected to the Facebook login page promoting “Spot The Difference”. The www.hcs.harvard.edu link goes to a wiki page containing pharma spam hosted on various other edu domains. Conclusion Tiger Woods is not a unique case of SEO poising; any subject in Google Trends might be exploited by the malware writers with Black Hat SEO techniques and any popular trend could become a potential vector to distribute viruses and other malware scams so be aware of this while surfing in cyberspace. As for those educational / university websites … who did setup those pages or are we dealing with hacked servers here? |
||||
Life Support
Blocklists Last Update
Daily Auto Updates
P2P IP Block Lists
P2P IP BlockLists / IP Filters :
Dec 17 2009 | 1:30 PM | GMT +10
Outpost Firewall IP Block Lists
Outpost - Blockpost IP Blocklists :
Dec 17th 2009 | 1:50 PM | GMT +10
level3.gz