Vulnerabilities / Threats
12/12/2012
09:48 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Most Dangerous Holiday Web Search Terms Of 2012

Blue Coat's Malware Research Team recently noticed a huge spike in holiday themed Search Engine Poisoning attacks and published the results of their findings

December 10, 2012 - By Chris Larsen

I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week.

Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...

Background

This time around, I followed the "high volume" approach I used in the SEP research on the Olympic gamesearlier this year, rather than the more labor-intensive approach used a year ago in the seven-part series from the RSA presentation.

One item in particular I wanted to look at was the question of overall SEP volume. As our customer base has grown, there should be some natural growth in the overall SEP traffic, but there is another recent factor: our work identifying "spamnets". Since Tim's tool for tracking SEP attacks is based on our malnet research, logically we should see more SEP attacks, as the number of malnets (and spamnets) that we track goes up.

On to the data...

For this research, I pulled Tim's SEP logs from 11/21 to 11/30. In those 10 days, we saw 13,616 "successful" SEP attacks. (Recall that this simply means one of our users somewhere: (1) searched for something; (2) got a bad link high enough in the returned search results that they actually saw it; (3) thought it looked like a reasonable result; and (4) clicked it. At which point WebPulse blocked it, which means it wasn't actually "successful", but that's due to us, not the Bad Guys' faulty preparations...)

13,616 different clicks / 10 days is pretty easy math: an average of 1361.6 different SEP clicks/day.

For comparison, I went back to the Olympics research set, which had a total of 28,277 different SEP clicks / 39 days, or about 725 per day.

That's an increase of over 80% -- far too much to be explained by the increase in customer base. I also doubt that the SEP gangs have suddenly become a lot more efficient. That leaves me with only one ready explanation: the large number of spamnets (and new malnets) we've been steadily uncovering, because I know that has jumped.

Anyway, here are the search terms I looked for in the dataset, and the number of unique search terms that matched. It's a total of 505 different holiday-related search terms; out of 13,616, it works out to about 3.7% of the SEP attack traffic.

Some Examples:

It's also interesting to look at some examples, to see if there are some specific things to warn people about. Here is a representative set of Christmas-themed searches that led people into danger:

preschool christmas bulletin boards crafts for christmas repurpose old christmas cards christmas office party games christmas scavenger list for adults ideas for christmas gifts in mason jars free printable christmas word scramble ugly christmas sweater party invitation wording christmas weight loss team names

Nothing really jumps out. But how about this set:

christmas door decorating ideas christmas door decorating contest winners christmas coordinate plane graphs

Together with the "preschool bulletin board" example, it shows that many of the would-have-been victims were school teachers searching for holiday activities. (There were a bunch of additional "Christmas door" examples in the logs, by the way. And for the benefit of our readers who live outside of the U.S., it is a very common tradition in American schools for teachers to decorate their classroom door for upcoming holidays, and this can get pretty competitive at times, as the teachers vie for fame and glory within their school for having the best-looking door.)

Non-holiday SEP Examples

If holiday-themed searches weren't dominating the SEP attacks, did anything else jump out at me?

Not really. In skimming through the logs, I easily found examples from many of the categories that showed up in last year's more detailed research:

Sample Letters: sample eagle scout letter of recommendation sample personal statement nurse practitioner program QA manager resume samples free download

Kids trying to get around the school web filter: proxy to get on facebook at school age of war 2 unblocked at school

Minor celebrity searches:(since major celebs have so much competition): heather nauert swimsuit (I had to look her up: she's apparently a Fox News reporter)

Health/Medical info: conversion from nitroglycerin ointment to patch left sided back pain worse at night

And one that I didn't highlight a year ago, so I suppose if there was something interesting that popped up, it would be this next category...

Year-end Performance Reviews: employee year end performance self assessment examples promotion announcement to all employees answers to commanders safety course ver 3.1 performance appraisal phrases

But, in general, I suspect that last year's estimate of around 40% of SEP attacks targeting Miscellaneous categories still holds pretty true. They are all over the map...

Closing Thought

I suppose it's bad enough that the cybercriminals are targeting holidays with their junk at all, but as I was looking through the logs for the "gift" searches, I came across a couple of examples that I wanted to highlight:

anniversary gifts for troubled marriages romantic homemade gifts for girlfriend

And these made me realize why I really don't like the Bad Guys. Here were innocent people who were trying to do something really meaningful for someone they loved, and the stinkin' SEP gangs were trying to ambush them with scams or malware.

--C.L.

@bc_malware_guy

P.S. On a lighter note, I think a special award for "Most Interesting Gift Search Leading to SEP" needs to go the guy who thought that the perfect gift for his wife/girlfriend was a "pink camo stock for remington 870". (If he was the same guy who searched for "antlers for sale on ebay", she's going to be in for a big surprise on Christmas morning...)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web