Our research team have discovered a rather nasty SEO poisoning scam over the last few days, targeting 9/11 related search terms (along with anything else they can get their hands on) to attempt the infection of vulnerable PCs. They use a combination of the
Black Hole Exploit Kit (Correction: Phoenix Exploit Kit) and an interesting “on the fly” SEO poisoning tactic to try and drop infections onto the target PC.
Shangpalace(dot)com(dot)vn was the initial URL our research team discovered, although there are quite a few others out there right now. It goes without saying that all of these domains should be considered hostile and visited only in a dedicated testing machine.
Some example search terms:
“The server will return a script pointing to a malicious server which is running Phoenix exploit kit…the referral string used when visiting the compromised site must be an approved referral string (e.g. search.google.com). If not, the server will simply re-direct you to anon-malicious page.”
serveruzgdf(dot)info A 184.108.40.206
acronymsoflh(dot)info A 220.127.116.11
zqqhfowhserver(dot)info A 18.104.22.168
cronymsu(dot)info A 22.214.171.124
aasfhcxserver(dot)info A 126.96.36.199
bpxtecdacronyms(dot)info A 188.8.131.52
nvwjefrzacronyms(dot)info A 184.108.40.206
acronymstxey(dot)info A 220.127.116.11
Adam tells me the site is “attempting to load as many exploits as possible in order to drop the payload”. This is typically what the user will see while the exploits and files are busy behind the scenes:
“The content for SEO poisioning can be generated ‘on-the-fly’. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired. By simply passing a search criteria to the url ‘shangpalace(dot)com(dot)vn/<search-term>’, the ‘SEO pack’ generates relevant content based on the search term.”
As an example, he passed a random search term to the server to see what would happen – “purple-golden-retriever”, in thiscase. Sure enough…”Within 2-3 seconds a page complete with keywords, related search phrases and even relevant working images is returned from theserver.”