Friday, April 27, 2007 12:00 PM
cmosby
McAfee Avert Labs Blog - Malware Authors Pay to Steal Your Bank Passwords
Malware Authors Pay to Steal Your Bank Passwords
Thursday April 26, 2007 at 12:09 pm CST
Posted by Allysa Myers
Trackback
This Washington Post blog discusses a misuse that has occurred with Google’s Sponsored Links.
How it work is this: Someone searches for a term that would lead them to a list of different sites such as the Better Business Bureau. The top sponsored link appears, purporting to be the site the user is looking for. On a normal link, if someone places the mouse over the it, most browsers will indicate in the bottom left corner what the address of that site is. This is not the case with Google’s Sponsored Links. You have to trust that what appears is what it says it is, which we can see is not necessarily a good bet.
So, say a user had clicked on this Sponsored Link. It would then direct them to a malicious site which contains a script which we detect as JS/Wonka. This site has an iframe which contains a number of exploits, and which we detect with script scanning enabled as JS/Exploit-BO.gen. There are two particularly notable exploits in this lot - one for a recent QuickTime vulnerability and one for the ANI vulnerability from last month. This is one of the first instances we’ve seen of the QuickTime vulnerability being exploited. The end result of this script is that it installs a downloader, for which detection is being added as Generic Downloader.ab. This downloader then downloads a PWS-Banker trojan to steal your online banking credentials.
Whew. Everyone feeling sufficiently dizzy now?
In the past, we’ve seen looping techniques used for index hijacking in order to increase Page Rank, so that a page will show up higher in the list of returned results in Google’s search results, but Sponsored Links play by a different set of rules. To get a sponsored link, you actually have to agree to pay for your clicks. And as this link was the top sponsored link, they had to have paid more money than other sponsors.
Google has terminated the account which set up this list of sponsored links, so this is not currently functional. I wonder what the return on investment would have been in terms of cost per click versus “positive” identity theft results. Had people who clicked on the malicious link had security software in place to detect this or prevent them from having their banking information sent off, would this have been a significant money-pit for them?
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, AntiVirus Information, Internet Hacks, Spam\Phishing