Select Page

Google has removed the sites responsible for the recent massive Google poisoning attack.

However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here.

As an example, a simple search of “funny drunk quote site:cn” pulls up the following results:


Notice the pattern? Large amount of fresh .cn domains, with numbered html pages.

However, there are apparently two different groups at work here. One we’ll call Type 1 — which appears to be the same group involved in the prior poisoning. And the other, we’ll call Type 2 (sorry, not very original, but we’re working fast here).


Type 1 shows this style of page, and it looks like it’s coming from the same group that was involved in the recent Google poisining:


On exiting the page, you get pushed to install Spy-shredder, a rogue antispyware program.


Which, even if “cancel” is pressed, you still get a fake scanning page.

Nothing unusual there.


(You can see an example page source of Type 1 by looking at this dump.)

Type 2 is different, and simply shows users a site which is trying to generate traffic (for the purposes of getting affiliate commissions):


Again, freshly registered stuff. You can see an example page source of Type 2 by looking at this dump.

Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.

Alex Eckelberry and Adam Thomas