Google Web Sites Compromised In Malware Attack
Mary Landesman, senior security researcher at ScanSafe, said that experts have seen the number of compromised sites grow exponentially since the end of April, with a consistent surge last week that increased the number of compromised sites 80 percent.
Since discovered in March by researchers at ScanSafe, a series of compromised Web site attacks, collectively labeled Gumblar, has thus far infected more than 1,500 Web sites, including Tennis.com, Variety.com and Coldwellbanker.com. The source of the Gumblar attacks appears to be from gumblar.cn, with a Moscow IP address that reverses to ukservers.com, security experts say.
The Gumblar attacks seem to buck trends with their longevity, Landesman said. While most attacks that compromise Web sites fizzle out after a few weeks, Gumblar is gaining steam and growing at unprecedented rates.
"A lot peak within the first week or two. Instead we're seeing this as a continued surge," she said.
During the attack, the Gumblar malware forcibly redirects users' Google search page results to other links, many of which lead to reproductions of the users' intended Web sites. Initially, attackers gain access to legitimate Web sites via stolen FTP credentials, then subsequently launch malware to compromise any Web sites owned or operated by the victim.
However, as Google began to delist the compromised sites, and the Web site owners cleaned up their sites, attackers launched a defensive maneuver that installed a "man in the browser" attack on the compromised sites, designed to intercept the users' Web traffic and look into their browsers.
When a user performs a Google search, the malware is able to then swap links and redirect them to the phony Web site impersonating the legitimate site. If users are trying to visit Tennis.com via Google, they would be redirected to a fraudulent site that would immediately download a Trojan onto their systems. Once installed, the Trojan would give the attackers the ability to take control of the users' computers or steal personal information or FTP credentials to further propagate.
"Basically they're stealing page impressions," Landesman said. "They're also able to trick people into visiting sites other than they expected."
Google confirmed the attacks and said that the company is working to alert users to compromised sites listed on page rankings.
While the attacks are conducted on Google searches, Landesman said that the problem wasn't the result of a search engine weakness but due to vulnerabilities in the users' computers.
Landesman said that the attackers chose the Google search engine and Internet Explorer as attack vehicles due to their high market share, which guarantees necessary Web traffic to execute a widespread attack.
"That's where the market share is -- it's easier to make money," she said. "We'll see a decline as more Web site owners become aware of the problem, check their own sites and get them cleaned up."
Landesman said that in addition to thwarting search engine users, the attackers are damaging the reputations and stealing ad revenue from legitimate site owners.
"They're being ripped off. They're being stolen from. These hijackers are using their good name," Landesman said. "There are many victims here."
To protect themselves, companies should deploy a Web filtering service that monitors and protects against Web threats, Landesman said, but added that home consumers would likely be required to disable JavaScript.
Landesman added that this attack illustrates the growing trend of compromising legitimate Web sites for organized criminal profiteering. "Malware delivery is predominantly all through Web sites. This has proven hugely effective for the attackers," she said. "We've just seen wave after wave of compromises. They're escalating with no signs of stopping."