msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hackers Abuse Servage Hosting to Poison Google Image Search

   28 Apr 10   Filed in Website exploits

Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.

It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.

A few days ago I found a new generation of rogue blogs on Servage network.

Here are the details ..

I was going over suspicious URLs detected by Unmask Parasites and found one page that looked fishy. It’s report paged looked like this:

hippocounter and adinfoblock

When I opened it in a web browser (in Linux with NoScript to minimize risks), it resembled the rogue blogs that I had found on Servage network sometime ago: a blog with multiple posts that consisted only of a few images hot linked from other sites and no meaningful information. All its pages redirected visitors to a fake anti-virus site. And the blog definitely didn’t belong to the site at the root of the domain.

rogue blog

At the same time it was clear that this new site was different:

  • Different URL structure
  • Images interspersed with textual keywords
  • No categories
  • Different malicious script

Any way, I decided to check the site IP – it belong to Servage network! Was is a coincidence? To find it out I decided to try to find any other similar blogs.

Google searches

The URL structure of the blog was quite unique (e.g. example.com/someword1234/?x=y:10&paged=4) so I tried to use the allinurl: Google search operator.

The allinurl:x=y:10 paged query returned 16,000,000 results! All of them (at least the first 1,000 that Google allows to see) led to rogue blogs similar to the one I had just found.

Having analyzed the URL structure of different blogs, I came up with many more search queries. E.g.:

Note, the numbers of search results reported by Google may significantly vary depending on internal Google’s factors (e.g. data centers that were used to prepare them).

Analysis of IP addresses

Since search results for different queries don’t completely overlap, I managed to compile a list of 1130 unique domain names of rogue blogs – enough to start the analysis of their IP addresses.

638 unique IPs

936 unique domains evenly distributed in the range of 77.232.66.077.232.92.255 – Servage.net

162 unique domains evenly distributed in the range of 92.61.146.092.61.153.255 – Servage.net

The rest 32 domains either don’t resolve (7) or exist in a parked state thus pointing to servers of parking services. No wonder, during the several months of this attack some domains could have expired and some sites ceased to exist. A few more sites no longer have the rogue blogs (probably moved from Servage when they detected the hack) and only 3 (less than 0.3%) sites from different networks contained the rogue blogs.

97% of the rogue blogs are hosted by Servage in subdirectories of legitimate websites.

How many rogue blogs are there?

Of course, those 1130 hacked sites are only a subset of all hacked sites with the new type of malicious blogs. Lets estimate the whole number.

The allinurl:x=y:10 m:03 paged search returns 2,600,000 results. This provides us with the idea about the number of indexed archive pages for posts published in March of 2010. Most of the blogs have less than 40 such pages, few have more than 100 pages, and the largest number of archive pages of March posts I saw was 144.

So let’s be over-optimistic and assume that Google has indexed 150 pages on each blog that contain the following sting in their URLs: ?x=y:10;m:03&paged=<num>

2,600,000/150 = 17,333

More than 17,000 legitimate site of Servage clients contain subdirectories where criminals have created rogue blogs that poison millions of search results and redirect unsuspecting web searchers to scareware sites that push Fake AV software. And if we take more realistic number of 50 indexed archive pages per site in March, this will give us 50,000+ unique blogs. (Well, some sites host two rogue blogs in different subdirectories but it still leaves us with 25,000+ compromised legitimate sites!)

Another estimate is based on the numbers in the names of subdirectories. If they are unique throughout all the blogs, this will give us about 10,000 unique rogue blogs (the largest number I saw was 10345). Google could have indexed duplicates of archive pages with alternative URLs, so this number looks credible.

Note, these numbers don’t include previous generations of rogue blogs that are still there.

How many indexed malicious pages are there?

Now let’s estimate the number of the malicious landing pages indexed by Google.

Lets take the numbers of indexed archive pages for each month of this attack (November 2009 through April 2010):

April: 4,240,000
March: 2,600,000
February: 1,010,000
January: 1,270,000
December: 119,000
November: 32,800
Total: 9,271,800

Each archive page contains 4-5 individual posts. This means that there should be at least 36 million individual pages. Or 45+ million pages including archive pages. This is optimistic estimate.

But if we take the allinurl:x=y:10 paged search that returns indexed archive pages only in 2010, we get 16,000,000 results, which gives us 80 million malicious pages in just four months of this year.

The loooong tail

Each page is optimized for several different search keywords (main keywords and a dozen of keyword variations). This means that search results for more than 100 million search queries are poisoned by this particular attack. Of course, most of those keywords are relatively unpopular. Some of them may attract just a few searches a day, some may attract only one search a month, and some keywords may not be used at all, but if we take into account the volume of Google searches and the quantity of poisoned search results, I can roughly estimate that every month more than a million of searches return results that contain links to those rogue blogs.

Exposure of poisoned search results

What are the chances that searchers will actually see or click on the poisoned search results? After all, malicious blogs have to compete with legitimate resources for the same keywords. And if the poisoned link is displayed on the 10th or even 3rd page of search results, hardly anyone will see it.

Well, with regular web search the situation is more or less normal. Only about 5% of tested keywords produce one or two poisoned links on the first two pages (top 20) of Google search results. Usually on the second page. However some specific queries (like this one woman with a broken neck and leg braces, beware!) return the first pages of search results that consist exclusively of links to the rogue blogs described in this article.

Image Search

However, these blogs contain a lot of images for a reason. They primarily target image searches. And I should also mention that about half of the keywords are of adult nature. So most pages contain very explicit images and Google Image search excludes those blogs from searches with strict and moderate (default) filtering. Only a very small percentage of rogue blogs with relevantly moderate content make it into default image search results.

But once you turn off the SafeSearch (after all the content of the blogs suggests that they are after porn searchers who disable the SafeSearch filtering), you’ll get poisoned search results on the first page for almost every keyword found on the malicious landing pages. Moreover, for many of the searches, more than 50% of search results on the first pages point to the rogue blog pages.

SafeSearch Off

With turned off filtering, you don’t have to search for adult content to be exposed to poisoned search results. Even completely innocent searches like “Barry Manilow” or “Trade Show British Columbia” will get you a few (if not all) malicious links on the first pages of Google Image search results. As you can see, not only porn sites can be dangerous. Even changing Google search preferences to “porn-friendly” mode may be dangerous.

Safe Browsing Warnings

In Google’s defense, I can say that a lot of the rogue blogs have been blacklisted already and Google would display the “This site may harm your computer” warning next to their web search results. However, this warning don’t appear in Image Search (although when people click on the blacklisted results they see the warning page anyway) and only about 30% of the malicious blogs are currently flagged. This means that web surfers won’t see any warnings when the click on the rest 70% (tens of millions) of the poisoned search results. I hope this article will help improve this ratio.

Blogger

Not only did hackers created rogue blogs in subdirectories of legitimate websites on Servage network, they also experimented with similar Blogger blogs. They created a lot of blogs with URLs like: candace8711.blogspot.com and robyn2123.blogspot.com – 20 blogs under a single Blogger account.

For Blogger blogs, hackers used special domain name in scripts that redirected to Fake AV sites: blogpics3 .in

But it looks like Blogger blogs didn’t work as well as blogs on established legitimate sites, and they seems to have been abandoned in the beginning of April. Since then, Blogger team has closed a lot of such malicious blogs (for example the blogs I specified above, had been online just a few days ago – now they are gone).

CelebsFineCtPics

Another alternative location of rogue blogs is the celebsfinectpics .com site. It has many subdomains like kara10181 .celebsfinectpics .com or dann3841 .celebsfinectpics .com. They are just the same rogue blogs redirecting users to scareware sites. The only difference is they are hosted on the hackers’ own server.

The domain name, used in the malicious scripts on the celebsfinectpics .com blogs is celebsfinectpics .in.

This celebsfinectpics .com domain resolves to 94 .228 .209 .133. This is one of the IPs where the malicious scripts on the rogue blogs point to.

Apparently, those subdomains didn’t work well for criminals too. I don’t see any new posts after April 22.

Summary

Servage

Servage hosting provider has serious security problems that allow hackers to create thousands of rogue blogs in subdirectories of legitimate websites of Servage clients. This happens at least since April of 2009. Servage have been notified about it a few months ago but their support never acknowledged the problem and blamed it on users, which is hard to believe in when the attack is limited to Servage servers and affects thousands of websites. Moreover, Servage hasn’t done anything to stop the attack and evict hackers from their servers.

Black-hats vs Google

Black-hat SEO guys have figured an effective way to spam Google Image search and now their spammy and malicious links dominate on the first pages of search result for millions of queries. Google should definitely tweak its ranking algorithms for Image Search or improve its anti-spam efforts.

Google can start by delisting subdirectories with the rogue blogs on legitimate websites described here. It’s quite simple to identify them all:

  • <site_domain.tld>/word\d{4,5}/
  • AS29671 (SERVAGE) network
  • with external scripts from hippocounter .info or hippocounter .com

Or use the searches that I mentioned above – they are quite accurate.

(Consider this article as a bulk spam and malware report – I’m not going to report every URL individually)

SafeSearch

Turning off the SafeSearch option in Google search (especially in Image search) is a dangerous practice. It significantly increases risk of clicking on poisoned search results that lead to attack sites even when you search for something completely innocent.

Have your say

What do you think about hosting providers that allow such massive hacks and don’t address them for a long time? Did you ever stumble across search results pages where most of the links point to malicious or outright spammy pages?

Your comments are welcome. It would be especially interesting to hear from Servage and Google.

To be continued…

In the next post I’ll post more details about those rogue blogs.

Related posts:

Reader's Comments (5)

  1. |

    [...] Hackers Abuse Servage Hosting to Poison Google Image Search, Unmask Parasites Blog [...]

  2. |

    Some excellent research you made here. I was getting huge numbers of these image SERPs hikacker referrers on some domains and had posted a thread on google forums about it. I’ve linked to your blog post on that thread here:

    http://www.google.com/support/forum/p/Webmasters/thread?tid=73c80f91408fb327&hl=en&fid=73c80f91408fb3270004837f07c4401e

    Hopefully, your research will get drawn to google’s team a little faster than it might, if not already. The scraper pages I’ve seen all take format you describe: just images scraped and hotlinked from first pages of google image search for any search term, and just a few words of text. The thumbnail displayed in google image search remains as being linked to the original host domain that is being hotlinked, but the scraper domain manages to usurp itself underneath … and surfer goes to their crappy spam page if the thumbnail is clicked.

    The URL structure is often like you say:
    example.com/usuallyapersonname1234/

    Often four digits follow, and they can be any numbers, noit just 1234. They’re also using a lot of subdomains. But also same techniques being used on regularly looking URL structured domains too. The tld is rarely .com, however. They seem to prefer the more weird and wacky ones … .info is a particular favourite, but all manner of other european and world ones in use.

    Hope google does something to prevent the image hijacking holes in the image search algo, and my server logs get a little more clear of this incessant scraper junk.

  3. |

    hi,

    thank you for your excellent research, man these people have stolen all my trafic and essentially destroyed my business.

    I think there is a variation of this trick, it is run by picsdigger.com and other sites.

    http://www.google.com/support/forum/p/Webmasters/thread?tid=3929aaab2bc3254e&hl=en&start=240

    Google seems very slow to act.

  4. |

    We have had hacked site problems on Servage for months and months now, forever, the generic response is “change your passwords” These guys are complete morons and we are taking out sites elsewhere as soon as we find something suitable.

    Servage is a complete joke!

  5. |

    My google image artwork has been replaced with url, script redirected images which end up on a virused .co.cc domain.
    The domain name changes 20-30 times a day due to malware reporting!

    WARNING: Any images popped up containing the domain nspl.co.in are virused.

    Emailed gogax host, google security, .co.cc domain controller and even contacted the Police! No replies to any emails except automated. What the hell is going on?
    This hacker is not only ruining my online reputation but everyone else involved, including google and no one is prepared to lift a finger.