Limited Malicious Search Engine Poisoning for Election

Limited Malicious Search Engine Poisoning for Election
We have seen a couple of instances of search result poisoning for election related search terms. Right now, this is not wide spread but of course depends largely on the search terms you use. One affected domain appears to be "digicube.biz" and malicious results are already blocked on Google. The malicious results use the search term as part of the URL, probably in an attempt to achieve a higher ranking (we have seen this before). For example for the search term "2010 election results", you may get: digicube.biz/..../news=2010-election-results (parts removed to protect our readers) At this point, these links do not show up very high in Google's ranking for these search results. If you find more polluted search terms, please let us know. Websense published a blog post with a few more details and search terms [1]. [1] http://community.websense.com/blogs/securitylabs/archive/2010/11/01/rogue-av-rides-the-US-midterm-elections-wave.aspx ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4472 Posts ISC Handler Nov 2nd 2010
Thread locked Subscribe	Nov 2nd 2010 1 decade ago
More from Websense (SSDD): - http://community.websense.com/blogs/securitylabs/archive/2010/11/02/who-has-your-vote-as-malicious-adobe-and-firefox-updates-join-the-rougue-av-election.aspx 2 Nov 2010 - "... As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update* and Firefox Flash update** was about 27.9%* as confirmed by VirusTotal." * http://www.virustotal.com/file-scan/report.html?id=7e951b746f942c3607872ead9ad1889ebac1471e611e3a9ade482832a08fc60d-1288711379 File name: v11_flash_AV.exe Submission date: 2010-11-02 15:22:59 (UTC) Result: 12/43 (27.9%) ** http://www.virustotal.com/file-scan/report.html?id=040b9b05acbb81a8cf0ff75caa3bfeb51e21188c35a56f57ff0d7d130a8c9054-1288711390 File name: firefox-update.exe Submission date: 2010-11-02 15:23:10 (UTC) Result: 12/43 (27.9%) .	Jack 160 Posts
Quote	Nov 2nd 2010 1 decade ago
Of course, now to compound the confusion for the unwary, the -real- critical Flash update will be forthcoming Nov. 4... - http://www.adobe.com/support/security/advisories/apsa10-05.html Last updated: November 2, 2010 - "... We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010..." - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654 Last revised: 11/01/2010 CVSS v2 Base Score: 9.3 (HIGH) .	Jack 160 Posts
Quote	Nov 3rd 2010 1 decade ago

We have seen a couple of instances of search result poisoning for election related search terms. Right now, this is not wide spread but of course depends largely on the search terms you use.

One affected domain appears to be "digicube.biz" and malicious results are already blocked on Google. The malicious results use the search term as part of the URL, probably in an attempt to achieve a higher ranking (we have seen this before).

For example for the search term "2010 election results", you may get:

digicube.biz/..../news=2010-election-results (parts removed to protect our readers)

At this point, these links do not show up very high in Google's ranking for these search results. If you find more polluted search terms, please let us know. Websense published a blog post with a few more details and search terms [1].

[1] http://community.websense.com/blogs/securitylabs/archive/2010/11/01/rogue-av-rides-the-US-midterm-elections-wave.aspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4472 Posts
ISC Handler

Nov 2nd 2010

More from Websense (SSDD):

- http://community.websense.com/blogs/securitylabs/archive/2010/11/02/who-has-your-vote-as-malicious-adobe-and-firefox-updates-join-the-rougue-av-election.aspx
2 Nov 2010 - "... As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update* and Firefox Flash update** was about 27.9%* as confirmed by VirusTotal."
* http://www.virustotal.com/file-scan/report.html?id=7e951b746f942c3607872ead9ad1889ebac1471e611e3a9ade482832a08fc60d-1288711379
File name: v11_flash_AV.exe
Submission date: 2010-11-02 15:22:59 (UTC)
Result: 12/43 (27.9%)

** http://www.virustotal.com/file-scan/report.html?id=040b9b05acbb81a8cf0ff75caa3bfeb51e21188c35a56f57ff0d7d130a8c9054-1288711390
File name: firefox-update.exe
Submission date: 2010-11-02 15:23:10 (UTC)
Result: 12/43 (27.9%)
.

Jack

160 Posts

Of course, now to compound the confusion for the unwary, the -real- critical Flash update will be forthcoming Nov. 4...
- http://www.adobe.com/support/security/advisories/apsa10-05.html
Last updated: November 2, 2010 - "... We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3654
Last revised: 11/01/2010
CVSS v2 Base Score: 9.3 (HIGH)
.

Jack

160 Posts