Numbers of legitimate Web sites have again succumbed to another case of iFrame Search Engine Optimization (SEO) poisoning. Among those reported compromised were the Washington State University site and several news sites such as Sun Gazette and Tribune-Chronicle. Proof is the following screenshot which shows how many search results turned up when the unlikely search term “nmidahena.com” is used:
This is yet another incident following what looks like a never-ending string of attacks that has compromised high-profile Web sites such as ZDNet Asia and TorrentReactor early last month. Shortly after, Wired.com and History.com also got affected and was then followed by another attack, this time affecting a number of news Web sites. This may suggest that cyber criminals, apart from taking advantage of this SEO vulnerability are also testing which type of Web sites they may get more out of. From social networking and entertainment to news and education, the trend may depend on where cyber criminals think the traffic is at.
Further investigations by Trend Micro Researchers reveal that the tool used in conducting this massive attack is not new, but in fact was already used in a similar attack last year. The toolkit that previously used the domain yl18.net and compromised hundreds of Web sites in November last year is the same toolkit used in this attack, this time using the domain nmidahena.com. This is a screenshot of one of the tools:
This recent turn of events shows that cyber criminals are clearly capitalizing on this method of distributing malware. More than 40% of Web threat incidents both in January and February involved the use of legitimate Web sites to distribute malware, with most affected sites related to social networking and entertainment. However in March, almost all incidents involved the compromising of legitimate Web sites, this time affecting Web sites related to education. USA Today also reported that several hundred thousands of corrupted Web pages returned by common Google search queries were found by security researchers in March alone.
Despite this clear involvement of Google in this malware distribution, security researchers have taken Google’s side on the case, saying that the search engine is not directly responsible to these attacks. This I believe still does not put Google off the hook; the search engine being used as a channel for malware distribution seriously calls for the development of security measures.