News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Bitcoin Miner with Black Hat SEO Poisoning Campaign
Posted by Gianluca Giuliani on 20 December 2011 08:30 AM
Bitcoin is a peer-to-peer currency exchange system that features a predictable currency rate. The generation of Bitcoin currency is controlled by an algorithm created by Japanese researcher Satoshi Nakamoto in 2008. Bitcoin system users are essentially "mining" for Bitcoins using their computers CPU power. Today, because of the intrinsic characteristics of the Bitcoin-generating algorithm, calculating new "coins" in a reasonable amount of time without the use of distributed computing power is very difficult. It's important to remember that Bitcoins are like real money and can be exchanged for real money. During a recent investigation, we encountered a new trend in the landscape of monetization techniques which can be triggered by the Black Hat SEO (BHSEO) poisoning campaign. What happens when BHSEO specialists meet a service offered, for example, by BitcoinPlus which is used for mining Bitcoins? Well, we should never underestimate the cleverness and the imagination of cyber criminals. Specifically, we have encountered the presence of an array of Websites that have been setup for BHSEO purposes and that are used for Bitcoin mining. Basically, this is the goal of BHSEO poisoning: reach a user for malicious purposes when that user is looking for something via a search engine.There are many ways to create a BHSEO campaign (or structure). The one most often used consists of creating and renaming a Website HTML page to be a popular keyword. So a global celebrity gossip news item can be a gold mine for anyone who wants to build a BHSEO campaign. This technique is frequently used to spread malware or some other kind of malicious content. BitcoinPlus offers a service which allows a registered user to mine "coins" using some JavaScript that is added to their Website. This essentially means that the computer's CPU power of any visitor of such Website will be used to generate Bitcoins for the Bitcoin account owner. The code, provided by BitCoinPlus, is shown in the following screen shot, this is the code that is included in the BHSEO Website to generate Bitcoins: Essentially the code requires the support of the minimal jQuery library, the call to the mining JavaScript code, and the registration of the BitcoinPlus user account. The following Java applet shows the miner.js call: A brief analysis of this JAR file shows the code that calculates the amount of time necessary for any Web client visit to mine Bitcoins, as shown in the following code snippet: Up to this point, nothing illegal has happened. But what would happen if this script is used for malicious intent? During our analysis using the Websense ThreatSeeker ™ Network, we detected several Websites setup with the JavaScript snippet shown above. The screenshot below shows some of the Websites that are part of the BHSEO campaign, explained earlier in this blog: The keywords relate to a variety of topics: adult content, electronic devices, hacking, software, and so...(read more)
Read more »


I wonder how much longer rogue AV will ride the wave of major news?  Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday.  Websense customers are continually being protected against this attack through our Advanced Classification Engine.


In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself.  This particular attack is browser-aware, as the threats are specific to the browser being used.   



Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content.  The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.


Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update.  This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.



The second malicious component, which masquerades as a Firefox update message, is - as can be guessed - specific to Firefox browser users.



As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.


With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.


As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.



Read more »