Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Tweet Week: March 14-20, 2011

21 Mar 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Best practices for hosting providers, security statistics, basicpills in WordPress, Rustock, phishing …

Major Disasters in Poisoned Search Results

14 Mar 11   Filed in Website exploits with 4 Comments

Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.

This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.

Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.

I decided to check the poisoned search results and here’s what I found:
Continue »»

Tweet Week: March 7-13, 2011

14 Mar 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

phishing, botnets, poisoned search results … »»

Two Tweet Weeks: January 3 – January 16, 2011

18 Jan 11   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Black-hat SEO campaigns, PDF dangers, etc.. »»

Hackers Turn Legitimate Websites into Underground Software Stores

10 Dec 10   Filed in Website exploits with 2 Comments

This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!
Continue »»

Doorways on Non-default Ports — New Trend in Black Hat SEO?

03 Dec 10   Filed in Website exploits with 12 Comments

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.
Continue »»

Keygenguru .com Hack in Search Results

04 Aug 10   Filed in Website exploits with 1 Comment

Last year I wrote about two elaborate server-wide hacks that hijacked web server (Apache) processes and intermittently served malicious content instead of requested legitimate web pages.

A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.

Side effect

A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:
Continue »»

Tweet Week: April 26 – May 2, 2010

02 May 10   Filed in Tweet Week with Comments Off

Selected short messages and links you might have missed if you don’t follow me on Twitter.

Reviews of security tools, web spam and poisoned Image search results »»

Hackers Abuse Servage Hosting to Poison Google Image Search

28 Apr 10   Filed in Website exploits with 5 Comments

Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.

It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.

A few days ago I found a new generation of rogue blogs on Servage network.
Here are the details …

Spammy Links From Remote Servers

07 Apr 10   Filed in Website exploits with 2 Comments

Hidden spammy links injected into web pages on legitimate websites is quite a widespread type of hacker attacks. These parasites try to suck all the “PageRank juice” out of any website they manage to break into and put their shady web pages high in search results.

There are many ways hackers can inject links. They can insert them as plain HTML (will work on most sites) or as an encrypted PHP code (the files should be processed as PHP). Hackers can even use SQL injection on database-driven sites that don’t properly sanitize user input.

Decoupling code from data

Sometimes hackers decouple code from data and inject only some PHP instructions that load spammy links from a standalone file. This makes the construction more flexible since they can simply change the content of that single file whenever they decide to promote a new set of links – no need to update every infected file on a site.

In this post, I’ll show a even more clever way of decoupling code from data.
Continue »»