Vulnerabilities / Threats
12/12/2012
09:48 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Most Dangerous Holiday Web Search Terms Of 2012

Blue Coat's Malware Research Team recently noticed a huge spike in holiday themed Search Engine Poisoning attacks and published the results of their findings

December 10, 2012 - By Chris Larsen

I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week.

Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...

Background

This time around, I followed the "high volume" approach I used in the SEP research on the Olympic gamesearlier this year, rather than the more labor-intensive approach used a year ago in the seven-part series from the RSA presentation.

One item in particular I wanted to look at was the question of overall SEP volume. As our customer base has grown, there should be some natural growth in the overall SEP traffic, but there is another recent factor: our work identifying "spamnets". Since Tim's tool for tracking SEP attacks is based on our malnet research, logically we should see more SEP attacks, as the number of malnets (and spamnets) that we track goes up.

On to the data...

For this research, I pulled Tim's SEP logs from 11/21 to 11/30. In those 10 days, we saw 13,616 "successful" SEP attacks. (Recall that this simply means one of our users somewhere: (1) searched for something; (2) got a bad link high enough in the returned search results that they actually saw it; (3) thought it looked like a reasonable result; and (4) clicked it. At which point WebPulse blocked it, which means it wasn't actually "successful", but that's due to us, not the Bad Guys' faulty preparations...)

13,616 different clicks / 10 days is pretty easy math: an average of 1361.6 different SEP clicks/day.

For comparison, I went back to the Olympics research set, which had a total of 28,277 different SEP clicks / 39 days, or about 725 per day.

That's an increase of over 80% -- far too much to be explained by the increase in customer base. I also doubt that the SEP gangs have suddenly become a lot more efficient. That leaves me with only one ready explanation: the large number of spamnets (and new malnets) we've been steadily uncovering, because I know that has jumped.

Anyway, here are the search terms I looked for in the dataset, and the number of unique search terms that matched. It's a total of 505 different holiday-related search terms; out of 13,616, it works out to about 3.7% of the SEP attack traffic.

Some Examples:

It's also interesting to look at some examples, to see if there are some specific things to warn people about. Here is a representative set of Christmas-themed searches that led people into danger:

preschool christmas bulletin boards crafts for christmas repurpose old christmas cards christmas office party games christmas scavenger list for adults ideas for christmas gifts in mason jars free printable christmas word scramble ugly christmas sweater party invitation wording christmas weight loss team names

Nothing really jumps out. But how about this set:

christmas door decorating ideas christmas door decorating contest winners christmas coordinate plane graphs

Together with the "preschool bulletin board" example, it shows that many of the would-have-been victims were school teachers searching for holiday activities. (There were a bunch of additional "Christmas door" examples in the logs, by the way. And for the benefit of our readers who live outside of the U.S., it is a very common tradition in American schools for teachers to decorate their classroom door for upcoming holidays, and this can get pretty competitive at times, as the teachers vie for fame and glory within their school for having the best-looking door.)

Non-holiday SEP Examples

If holiday-themed searches weren't dominating the SEP attacks, did anything else jump out at me?

Not really. In skimming through the logs, I easily found examples from many of the categories that showed up in last year's more detailed research:

Sample Letters: sample eagle scout letter of recommendation sample personal statement nurse practitioner program QA manager resume samples free download

Kids trying to get around the school web filter: proxy to get on facebook at school age of war 2 unblocked at school

Minor celebrity searches:(since major celebs have so much competition): heather nauert swimsuit (I had to look her up: she's apparently a Fox News reporter)

Health/Medical info: conversion from nitroglycerin ointment to patch left sided back pain worse at night

And one that I didn't highlight a year ago, so I suppose if there was something interesting that popped up, it would be this next category...

Year-end Performance Reviews: employee year end performance self assessment examples promotion announcement to all employees answers to commanders safety course ver 3.1 performance appraisal phrases

But, in general, I suspect that last year's estimate of around 40% of SEP attacks targeting Miscellaneous categories still holds pretty true. They are all over the map...

Closing Thought

I suppose it's bad enough that the cybercriminals are targeting holidays with their junk at all, but as I was looking through the logs for the "gift" searches, I came across a couple of examples that I wanted to highlight:

anniversary gifts for troubled marriages romantic homemade gifts for girlfriend

And these made me realize why I really don't like the Bad Guys. Here were innocent people who were trying to do something really meaningful for someone they loved, and the stinkin' SEP gangs were trying to ambush them with scams or malware.

--C.L.

@bc_malware_guy

P.S. On a lighter note, I think a special award for "Most Interesting Gift Search Leading to SEP" needs to go the guy who thought that the perfect gift for his wife/girlfriend was a "pink camo stock for remington 870". (If he was the same guy who searched for "antlers for sale on ebay", she's going to be in for a big surprise on Christmas morning...)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.