Jump to content
Fi8sVrs

An Arabic Search Engine Poisoning Attack

Recommended Posts

  • Active Members
Posted

An interesting attack showed up in the logs this past weekend. The attack traffic was headed to rogue subdomains on a couple of sibling sites:

  • powoxf8uaknp86axrpzl97f.boletinesvissionglobal.com.mx
  • 65qdu662douvxj2qxw8chf7.boletinesvissionglobal.com.mx
  • lqn33iegyocygy9e579lq9f.boletinesvissionglobal.com
  • 5lgxlni6g9y9byhgl6lgnni.boletinesvissionglobal.com
  • wim3gcwsscepr0e1p011bjf.boletinesvissionglobal.com
  • wim3gcwsscepr0e1p011bjf9060540dcbea42d013df5ad5163d17f03.boletinesvissionglobal. com

Both parent domains live at IP address 72.249.55.79, which belongs to a server hosting company in St. Louis, and both domains (which have had no traffic in the last year, until the weekend) are currently showing "account suspended" pages:

boletines_malware.png

The rogue subdomains, on the other hand, lived on a different IP (107.6.150.82), which belongs to a Netherlands host, although our logs show it currently living in the U.S.

We saw over 200 requests on Sunday for these URLs, all of which were flagged in real time as Malware by WebPulse's Malnet Tracker module, and this was only part of the attack. But that's not why it was interesting...

Looking at where the attack traffic was coming from, we saw that most of it was coming from search engines. (With as much as we've written about Malvertising attacks this year, it can be easy to forget that other traditional attack vectors like Search Engine Poisoning (SEP) and Spam are still alive and well.)

But the SEP angle got a lot more interesting when we looked at which search engine domains were involved in the traffic: although there was some traffic from the generic google.com and bing.com domains, most of the domains were in Arabic-speaking countries (e.g., google.com.sa, google.com.eg, google.ae, etc.). And, as you might expect, most of the search terms that had been used by the attack victims were in Arabic.

Furthermore, along with the direct SEP traffic, a number of Arabic-language forums were also seen as traffic sources into the attack network -- apparently due to links from search engines -- so this campaign was rather unusual in being so focused in a single language. (It wasn't entirely Arabic-based, as some of the searches that led to SEP clicks were in English, but the clear majority of the sources were Arabic.)

Non-English SEP attacks aren't rare, of course, but normally when we analyze SEP attack logs, we expect to find a mixture of languages. This attack was definitely unusual in that regard.

The analyst who found this network simply noted that the sites were hosting an exploit kit, but didn't name a specific one. Since we blocked all of the initial requests, there weren't any payloads to analyze, and I wasn't able to get anything from the attack sites when I tried, so that's where the story ends... We'll continue to monitor this network.

Via https://www.bluecoat.com/security-blog/2014-10-22/arabic-search-engine-poisoning-attack

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...