Active Members Fi8sVrs Posted October 24, 2014 Active Members Report Share Posted October 24, 2014 An interesting attack showed up in the logs this past weekend. The attack traffic was headed to rogue subdomains on a couple of sibling sites: powoxf8uaknp86axrpzl97f.boletinesvissionglobal.com.mx 65qdu662douvxj2qxw8chf7.boletinesvissionglobal.com.mx lqn33iegyocygy9e579lq9f.boletinesvissionglobal.com 5lgxlni6g9y9byhgl6lgnni.boletinesvissionglobal.com wim3gcwsscepr0e1p011bjf.boletinesvissionglobal.com wim3gcwsscepr0e1p011bjf9060540dcbea42d013df5ad5163d17f03.boletinesvissionglobal. comBoth parent domains live at IP address 72.249.55.79, which belongs to a server hosting company in St. Louis, and both domains (which have had no traffic in the last year, until the weekend) are currently showing "account suspended" pages:The rogue subdomains, on the other hand, lived on a different IP (107.6.150.82), which belongs to a Netherlands host, although our logs show it currently living in the U.S.We saw over 200 requests on Sunday for these URLs, all of which were flagged in real time as Malware by WebPulse's Malnet Tracker module, and this was only part of the attack. But that's not why it was interesting...Looking at where the attack traffic was coming from, we saw that most of it was coming from search engines. (With as much as we've written about Malvertising attacks this year, it can be easy to forget that other traditional attack vectors like Search Engine Poisoning (SEP) and Spam are still alive and well.)But the SEP angle got a lot more interesting when we looked at which search engine domains were involved in the traffic: although there was some traffic from the generic google.com and bing.com domains, most of the domains were in Arabic-speaking countries (e.g., google.com.sa, google.com.eg, google.ae, etc.). And, as you might expect, most of the search terms that had been used by the attack victims were in Arabic.Furthermore, along with the direct SEP traffic, a number of Arabic-language forums were also seen as traffic sources into the attack network -- apparently due to links from search engines -- so this campaign was rather unusual in being so focused in a single language. (It wasn't entirely Arabic-based, as some of the searches that led to SEP clicks were in English, but the clear majority of the sources were Arabic.)Non-English SEP attacks aren't rare, of course, but normally when we analyze SEP attack logs, we expect to find a mixture of languages. This attack was definitely unusual in that regard.The analyst who found this network simply noted that the sites were hosting an exploit kit, but didn't name a specific one. Since we blocked all of the initial requests, there weren't any payloads to analyze, and I wasn't able to get anything from the attack sites when I tried, so that's where the story ends... We'll continue to monitor this network.Via https://www.bluecoat.com/security-blog/2014-10-22/arabic-search-engine-poisoning-attack Quote Link to comment Share on other sites More sharing options...
