Last week, a friend, working at the French CERT-IST, alerted me to some web sites that, although they have direct access or a logon via a Google search, did not display the same result in spite of a unique visible URL. Let me explain…..
In the first case, we arrive on the normal (or official) page, but when surfed to via a Google search, we arrive at a false blog page proposing alternative and even malicious choices and links. This technique is commonly called cloaking. Its goal is to modify the content of a webpage depending on visitor parameters or browser history.
Let’s me first give you an example. Using IE, I enter in the address bar an attacked URL. I directly reach the site:
Using Google, I search for the same site:
I then follow the link and…. Surprise! I arrive on a fake blog page named for the site I searched however it is not the expected one; it is a rogue advertising page.
If I wait on the page and do not browse any proposed link for a few minutes, the normal web page is then displayed in place of the fake one. But if I chose any of these links, I am taken to some very suspicious advertising sites.
To achieve this deception, the main page contains a mere instruction line that launches a malicious javascript, with a long unescape sequence.
When decoded (today, for this job, I used facilities offered at
http://scriptasylum.com/tutorials/encdec/encode-decode.html), I discovered the link to reach the others “recipes” of this attack in an obscure subdirectory.
Using Google, I found this file architecture was not unique. Today more than 80 sites are affected by this attack, luckily these malicious files are detected by McAfee as Exploit-PHPBB.b
It seems this attack benefits people being paid through “pay per click” and/or people behind some rogue software like fake anti-viruses or naughty encounters. For sure, it is a profitable business!!
As early as 2006 the IP addresses revealed by Fiddler were pointed as suspicious. Two years after, they are still alive and still hosted at Global Net Access, LLC and ISPrime Inc, two American companies.
Various URLs visible in the Fiddler web session contain affiliate IDs. Calls at findwhat.com makes one think that the MIVA pay-per-click search engine company is the one involved in this story. As each new page loads, this server records the affiliate ID. This makes it possible for him (the affiliate) to get paid for each click. Consequently, it should it easy to unmask it!
At this point we can say that nobody seems in a hurry to stop this cloaking party. It looks like many people do well out of it!
July 18th, 2008 at 11:40 pm
This is also known as the “Hijacking Blog”. Please refer to this blog from April:
http://www.trustedsource.org/blog/109/When-your-web-site-is-attacked-by-the-Hijacking-Blog