lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Sep 2007 01:04:51 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Cc: funsec@...uxbox.org
Subject: fake blogs and search engines

URLs in this post should be considered as unsafe.

Fake sites and SE poisoning are nothing new. The use of blogs for this is far 
from new, either. Thousands of new fake blogs pop up every day on blogspot, 
livejournal, etc.

Web spam is a subject I have written about in the past, and some of you may be 
familiar with it regardless of me (no kidding), especially if you run a blog 
yourself.

A new fake blog which looks like blogspot, but has its own "domain", recently 
popped up in a Google alert on my name.

I get hits on these fake pages all the time as my name is a key word used by 
some of these spammers to grab attention to their pages.
This time around they really over-did it.

The page has a blogspot layout, and continues with ads to pornographic sites or 
malware (is there any difference anymore?)

Then the site shows the YouTube video which can be found under my name. 
Following that is a post I made to a mailing list recently (poorly formatted). 
Then we have a few pictures of girls, linking once more either to pornographic 
sites or malware drive-by sites (if there is a difference, again).

They finish the page off by adding comments, which are actually some old 
securiteam posts by me.

Heck, it looks fake, but it is obvious the bad guys are investing more in their 
fake web pages. Their auto-creation tools seem to be getting more impressive, 
and I believe we will see much improved believable sites, soon.

Google Blog Search displays this site as (nasty words replaced with beep):

Gadi Evron
2 Sep 2007
Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your 
head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard 
on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, ...
Untitled - h ttp://n ewadult.celeberia.com/

URL:
h ttp://n ewadult.celeberia.com/Gadi-Evron

Again, I am unsure if these URLs are safe.

For those of you wondering if these web pages mean anything to the bad guys, 
the answer is absolutely yes. Search engine ranking, indexing, etc. helps them 
advance their own sites (or their clients'). Then of course, there is 
advertising and Google ads.
It works. And the advertising space on unrelated key words is a plus.

The concept is very similar to comment spam. Comment spam may not contribute to 
SE ranking anymore due to the nofollow tag attached to links in comments, but 
these get indexed and that's all the bad guys care about. Nofollow is crap, and 
what shows up when you search is what matters.

As an example of how these things work, in a recent blog post of mine a buddy 
left a comment (see here http://gevron.livejournal.com/8859.html for the 
example).

He left a URL for his legitimate Python/math/music/origami blog in his comment, 
and now when you search for his blog you find my post placed in the 4th place 
with the title 'A Jew in a German Camp' (about the CCC Camp in Germany). He is 
not pleased, but it is obvious how the bad guys abuse this, and infect millions 
of computers just because their owners surf the net.

Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists