Archived Blog
Web 2.0 Phishing Leading to Multi-vector Attacks - Part 2
02.05.2009 - 4:40 PMFrom a fraudster's perspective, creation of Blogger phishing splogs and splogospheres using services supplied by legitimate Web-hosting providers is an initial success. It may be difficult and time-consuming to track-down and remove such pages, because they are not hosted or provided by Google's services. The splogs can be hosted and associated with multiple Web-hosting services through complex link farms.
These tactics help such splogs and splogospheres to survive online for longer periods of time, and to carry out a wide range of attacks.
Further Abuse - Spamdexing and Spamming
With a constant goal of reaching prospective and paying customers, fraudsters have adopted various tactics to increase their chances of success.
One tactic is to use Search Engine Optimization (SEO) poisoning techniques, with a focus on manipulating the relevancy or prominence of resources indexed by search engines, usually in a manner inconsistent with the purpose of the indexing system: spamdexing. Fraudsters also constantly update their content on splogs in the splogospheres while using spamdexing techniques to artificially increase their site ranking on different search engines.
This screenshot shows some of the spamdexing techniques used by fraudsters, including meta-tags and keyword stuffing, hidden text, link spamming, and complex link-farming (explained in Part 1).
Here, fraudsters are using a combination of hidden text and hidden links with the same background color as the Web site, trying to boost their site ranking. This also targets unsuspecting users, who might accidentally click the hidden links.
In order to achieve further success, fraudsters advertise their links through email spam, as well as by spamming blogs, user forums, and other types of sites that allow user-generated content.
Here are few instances of comment spam used as a lure, caught by our Websense HoneyJax.
Once a blog, forum, site owner, visitors, or other users fall prey to such content, they are further victimized. They often receive fake alerts or pop-ups, which fraudsters use to carry out various visual social engineering attacks in an attempt to steal user information. Fraudsters thus harvest user (especially financial) information. A database of harvested financial information is further used by fraudsters to perform illegal operations.
Here is the entire process summarized:
Blogging is a significant Web 2.0 functionality. Blogs have become the place where most Web users spend the majority of their Internet time. Web 2.0 sites open up a huge attack vector for fraudsters to exploit transitive trust, and this vector is increasingly being used to carry out wide range of attacks.
Websense Security Labs has already noticed that the percentage of Web spam that is truly nefarious is higher than for email spam. Our analysis today shows that between 5% and 8% of Web spam links to malicious code, phishing, and fraud, and that more than 95% of ALL comment content posted to blogs is unwanted.
Security Researcher: Sumeet Prasad