Vulnerabilities / Threats
12/12/2012
09:48 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Most Dangerous Holiday Web Search Terms Of 2012

Blue Coat's Malware Research Team recently noticed a huge spike in holiday themed Search Engine Poisoning attacks and published the results of their findings

December 10, 2012 - By Chris Larsen

I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week.

Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...

Background

This time around, I followed the "high volume" approach I used in the SEP research on the Olympic gamesearlier this year, rather than the more labor-intensive approach used a year ago in the seven-part series from the RSA presentation.

One item in particular I wanted to look at was the question of overall SEP volume. As our customer base has grown, there should be some natural growth in the overall SEP traffic, but there is another recent factor: our work identifying "spamnets". Since Tim's tool for tracking SEP attacks is based on our malnet research, logically we should see more SEP attacks, as the number of malnets (and spamnets) that we track goes up.

On to the data...

For this research, I pulled Tim's SEP logs from 11/21 to 11/30. In those 10 days, we saw 13,616 "successful" SEP attacks. (Recall that this simply means one of our users somewhere: (1) searched for something; (2) got a bad link high enough in the returned search results that they actually saw it; (3) thought it looked like a reasonable result; and (4) clicked it. At which point WebPulse blocked it, which means it wasn't actually "successful", but that's due to us, not the Bad Guys' faulty preparations...)

13,616 different clicks / 10 days is pretty easy math: an average of 1361.6 different SEP clicks/day.

For comparison, I went back to the Olympics research set, which had a total of 28,277 different SEP clicks / 39 days, or about 725 per day.

That's an increase of over 80% -- far too much to be explained by the increase in customer base. I also doubt that the SEP gangs have suddenly become a lot more efficient. That leaves me with only one ready explanation: the large number of spamnets (and new malnets) we've been steadily uncovering, because I know that has jumped.

Anyway, here are the search terms I looked for in the dataset, and the number of unique search terms that matched. It's a total of 505 different holiday-related search terms; out of 13,616, it works out to about 3.7% of the SEP attack traffic.

Some Examples:

It's also interesting to look at some examples, to see if there are some specific things to warn people about. Here is a representative set of Christmas-themed searches that led people into danger:

preschool christmas bulletin boards crafts for christmas repurpose old christmas cards christmas office party games christmas scavenger list for adults ideas for christmas gifts in mason jars free printable christmas word scramble ugly christmas sweater party invitation wording christmas weight loss team names

Nothing really jumps out. But how about this set:

christmas door decorating ideas christmas door decorating contest winners christmas coordinate plane graphs

Together with the "preschool bulletin board" example, it shows that many of the would-have-been victims were school teachers searching for holiday activities. (There were a bunch of additional "Christmas door" examples in the logs, by the way. And for the benefit of our readers who live outside of the U.S., it is a very common tradition in American schools for teachers to decorate their classroom door for upcoming holidays, and this can get pretty competitive at times, as the teachers vie for fame and glory within their school for having the best-looking door.)

Non-holiday SEP Examples

If holiday-themed searches weren't dominating the SEP attacks, did anything else jump out at me?

Not really. In skimming through the logs, I easily found examples from many of the categories that showed up in last year's more detailed research:

Sample Letters: sample eagle scout letter of recommendation sample personal statement nurse practitioner program QA manager resume samples free download

Kids trying to get around the school web filter: proxy to get on facebook at school age of war 2 unblocked at school

Minor celebrity searches:(since major celebs have so much competition): heather nauert swimsuit (I had to look her up: she's apparently a Fox News reporter)

Health/Medical info: conversion from nitroglycerin ointment to patch left sided back pain worse at night

And one that I didn't highlight a year ago, so I suppose if there was something interesting that popped up, it would be this next category...

Year-end Performance Reviews: employee year end performance self assessment examples promotion announcement to all employees answers to commanders safety course ver 3.1 performance appraisal phrases

But, in general, I suspect that last year's estimate of around 40% of SEP attacks targeting Miscellaneous categories still holds pretty true. They are all over the map...

Closing Thought

I suppose it's bad enough that the cybercriminals are targeting holidays with their junk at all, but as I was looking through the logs for the "gift" searches, I came across a couple of examples that I wanted to highlight:

anniversary gifts for troubled marriages romantic homemade gifts for girlfriend

And these made me realize why I really don't like the Bad Guys. Here were innocent people who were trying to do something really meaningful for someone they loved, and the stinkin' SEP gangs were trying to ambush them with scams or malware.

--C.L.

@bc_malware_guy

P.S. On a lighter note, I think a special award for "Most Interesting Gift Search Leading to SEP" needs to go the guy who thought that the perfect gift for his wife/girlfriend was a "pink camo stock for remington 870". (If he was the same guy who searched for "antlers for sale on ebay", she's going to be in for a big surprise on Christmas morning...)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.