msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Working With the Darkleech Bitly Data

10 Feb 14   Filed in General with 0 Comments

Data Driven Security took the time to analyze the raw data that I published in my recent post on Sucuri blog about how I used Bitly data to understand the scale of the Darkleech infection.

In their article, they have a few questions about data formats, meaning of certain fields and some inconsistencies, so I’ll try to answer their questions here and explain how I worked with the data.
Continue »»

Analyzing [Buy Cialis] Search Results

21 Aug 13   Filed in General with 2 Comments

A few days ago I was updating the spammy word highlighting functionality in Unmask Parasites results and needed to test the changes on real websites. To find hacked websites with spammy content I would normally google for [viagra] or [cialis], which are arguably the most targeted keywords used in black hat SEO hacks. However after the Google’s June update in how they rank web pages for spammy queries, I didn’t have much expectation of seeing hacked sites on the first page of search results for my usual [buy cialis] query and was ready to check a few more pages.
Continue »»

Millions of Website Passwords Stored in Plain Text in Plesk Panel

26 Jun 12   Filed in General, Hosting+Security with 16 Comments

After the theft of LinkedIn user database, there was a lot of buzz about how unthoughtful it was to store passwords as unsalted SHA-1 hashes.

What can be even worse is storing user passwords in plain text.

Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made a conclusion that it is quite a common practice among hosting providers and that “naming and shaming may be the only way to change” it.

But why do hosting providers save passwords in plain text? Maybe because most of them don’t invent anything and just rely on web hosting automation programs?
Continue »»

Tattoo Ideas For … Spammers

21 Jul 11   Filed in General with 1 Comment

Do you know how many people use Google Images to see a new tattoo of some celebrity or to search for tattoo ideas? What about using image search for hairstyle lookups? Or to find new wallpapers for your computer desktop? I’d say millions do it. That’s why these niches are particularly interesting for “black hats”.
Continue »»

Google Image Poisoning. Mitigation and the New Wave.

23 Jun 11   Filed in General, Short Attack Reviews with 1 Comment

In May, I wrote a big article about my investigation of a massive Google Image poisoning attack. A quick recap: cybercriminals created millions of doorway pages on dozens of thousands compromised websites. Those pages exploited a flaw in Google Image search algorithm that made it possible for pages with hot-linked images to hijack search results of websites where the images actually belonged to. The attack scheme was very efficient and hundreds of thousand (if not millions) people clicked on poisoned image search results every day.

Not only did I publish results of my investigation on my blog but also shared a great deal of gathered information (lists of compromised sites, algorithms, etc.) with Google and antivirus vendors. I hope this made some difference as I started observe changes literally the next day after the article publication.

In this 2-part series of posts, I will talk about what’s changed since then. Specifically about how Google addressed this problem (part I) and how cybercriminals changed the attack scheme (part II).
Continue »»

Readable SafeBrowsing Add-on for Firefox 4+

28 Apr 11   Filed in General, Tips and Tricks with 1 Comment

I actively work with Google’s Safe Browsing diagnostic pages. They are a great source of information if you know how to interpret them. I usually read several dozen such diagnostic pages a day. Unfortunately, the readability of the diagnostic pages is quite poor.

To make my life easier, I created a simple script that highlighted important information so that I could see everything I needed at a glance. I had been using that script for more than a year before the recent Firefox 4 upgrade broke it (the technology I used is deprecated now). This was a serious loss for me. Every time I opened Safe Browsing diagnostic pages (several dozen times a day) I missed my script. Even though I knew the page layout very well, it took significantly more efforts to extract the same amount of information. The difference was almost the same as you might feel when you have to use a touchpad instead of a normal mouse.
Continue »»

Analysis of Gumblar Zombie URLs

29 Jun 10   Filed in General, Website exploits with 3 Comments

As you might know, I maintain and regularly update a list of Gumblar zombie URLs. The main reason why I do it is to help webmasters of compromised sites find relevant information about the source of their problems and the steps required to clean up and secure their sites. I see this pattern quite often, when webmasters find a suspicious script in their web pages and use it in Google searches to find more information about it. On the other hand, this list can also help reveal the security breach of sites that hackers use to host Gumblar zombie scripts.

This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.
Continue »»

At Google’s Office in Moscow

19 Jun 10   Filed in General with Comments Off

At Google's Office in Moscow

My visit to Google, Moscow last week ;)

Introduction to Website Parasites

14 Apr 10   Filed in General, Unmask Parasites with 6 Comments

Wikipedia defines Parasitism as a “type of symbiotic relationship between organisms of different species in which one, the parasite, benefits from a prolonged, close association with the other, the host, which is harmed.”

This definition perfectly describes relationships between hackers and legitimate websites. As it often happens in real life, the host (legitimate website and its owner) may be completely unaware of parasites until the harmful effect becomes obvious (e.g. drops in traffic, lost search engine rankings, site gets blacklisted, etc. ). And it doesn’t matter how big or small your site is and how malicious the hack is – this is the sort of relationships where parasites (hackers) always win and legitimate websites always lose.

As a webmaster, you can be more effective at detecting and mitigating parasitic activities if you know how hackers can benefit from your site .
Continue »»

Evict Hackers

30 Dec 09   Filed in General with 1 Comment

Last week, I wrote about the latest mutation of the website hack that has been active (mostly in form of iframe injection) throughout this year. I mentioned that for some reason all malicious domain names had been mapped to IP addresses on LeaseWeb and OVH networks. Moreover, LeaseWeb hosted a central site mdvhost .com (hidden behind reverse-proxies) for at least 3 months.
LeaseWeb reaction »»