OKay time to go little geeky.. ;) Nothing personal here...
Search engines are the one of the most used and most Exploited facility available on internet, where u have to be careful not to lose your valuable data. During the first half of 2008, Microsoft removed almost 9 million copies of Win32/Zlob from infected computers - more than twice as many as any other threat. In their Security Intelligence Report 5 they described Zlob infections like this: "Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake 'spyware warnings' that are actually advertisements for rogue security software". An especially prevalent way to get Zlob during that times was to be prompted to install a missing Codec or Video player when visiting a site advertised by a spam message. The most popular type that even we are facing today. And do u know whos the major career. :) Yes ofcourse google. Ofcouse you cannot blame Google for this. May be you can appreciate the guy behind this technique :D.
On November 19th, Microsoft announced that their Malicious Software Remove Tool could now remove the newest batch of fake antivirus products, and that in the first 9 days of the new release, they had removed 994,000 of these fake products, which they refer to collectively as Win32/FakeSecSen.
Wait, HAD BEEN? Yes. To point out, that of those 944,061 machines which detected as infected, only 198,812 had an ACTIVE infection including the "exe". The other 700,000 or so had actually already had the infection declawed, either manually or by another anti-virus program, but residual files indicating the former infection were still present. In other words, the
MILLION MACHINES CLEANED was really
TWO HUNDRED THOUSAND MACHINES DISINFECTED, and EIGHT HUNDRED THOUSAND CLEANED UP A LITTLE BIT MORE THAN THEY ALREADY HAD BEEN. This details are from the records and that has been identified. Guess the counts of those who really dont know the fact that they have been just infected. :|
Here we go with an old example. You might have experience and wonder why would some one create a website this kind of weird name. In the current example, the hacker is using the site "00119922.com", which they have just registered December 19th 2009. More than a million Google hits show that he has injected redirectors all around the Internet pointing to this site.
CAUTION: THIS PORTION IS FOR PROFESSIONAL SECURITY FOLKS ONLY. IF YOU FOLLOW THESE LINKS YOU "WILL BE F****ED UP" YOURSELF! USE CAUTION!
Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way. The hackers get these entries into Google by littering tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet. So, to choose one of the non-pornography related search terms, a hacker has written a program to comment on people's blog entries with a link to:
http://www.microsoft.com/ie/ie40/download/?//00119922.com/in.php?&n=837&t=download+fruityloops+6+free
Now, if someone is searching for the phrase "download fruityloops 6 free", (fruityloops is apparently a music mixing software) because of Microsoft's popularity, their search term will take them to the number one position on Google.
The same technique has been used for many hundreds of phrases associated with pornography and software piracy. Some example search terms (and there are TENS OF THOUSANDS) all of which will give you the Microsoft open redirector as the #1 search result on Google:
"microsoft office 2002 download"
"hacking private myspace accounts"
"download runescape password hack"
"xxx rated joke"
"live free hardcore sex cams"
(Remember! DO NOT CLICK! YOU WILL BE INFECTED!!!!!)
Some of the other sites with open redirectors being targeted by this attacker include: dbrecovery.com, togshop.com, wnbc.com, mrm.mms.gov, countrycurtains.com, portugal-info.net, cyberswim.com, nbcsandiego.com, thebostonchannel.com, thepittsburghchannel.com, hermanstreet.com, viadeo.com, nationalgeographic.com, barronscatalog.com, click2houston.com, lucy.com, wgal.com, rexart.com, kitv.com, bookmatestore.com, attarbazaar.com, titlenine.com, vermontteddybear.com, readthehook.com, theessentials.com, martlmadidebeli-gristianoba.com
Visiting the website redirects the visitor to 00119922.com, which in turn currently redirects the user to the site: netisecurity.com/ws/index.php?affid=04800, which pops up a warning:
Clicking "OK" on the warning, SEEMS to start a scan of your system, but a closer look will indicate that you are actually only seeing an animation playing from the netisecurity.com website: look at the url.
this is some kinda pshining method. When the scan is completed, a "Windows Security Alert" seems to pop up, although in reality you are still on the netisecurity.com website. Clicking the "Remove All" button, which seems to be the reasonable thing to do, actually prompts the download of "install.exe".
Hackers use different method to increase their clicks to their site and so that they will get on top of the search engines. This is nothing but the same thing that people do in search engine optimization. Yes but profesionals do it in a profesisonal way while hacker exploit the vulnerabilities of other site.
Using the poor POST and GET validation methods, hackers can insert active javascripts and Iframes in the pages of victim sites. So when ever a click goes to the victims webite one or two or more free clicks are gone to the hackers site.
see the image. site belongs a one company. but the script inside open another php page that does not belong to this website or company.
god only knows what ovfamily.in up to. cheer and play safe. oh dudes thats and indian site !