About Me

Chris Barton
Having been with "big red" since the Dr Solomons acquisition Chris has seen many come and go but is never content to be ...

Blogs

Consumer (478)
Corporate (155)
Enterprise (466)
McAfee Labs (1126)

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Google Code Project Abused by Spammers

Wednesday, January 7, 2009 at 9:47am by Chris Barton

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

Tags: google, google code, in.cgi, msn spaces, traffic manager

Submit your own comments / message for this post

Comments (3)

carey January 28, 2009 5:10AM

Do a search for Hunt’s Point within Google video,
and then click on the hit entitled,
Hunts Point Pimps And Hookers @ kooldvd.com
page redirects, foisting fake Flash installer upon.
Reverse traces to Latvia.IP Address: 94.247.2.34
Location: RIGA (56.944N, 24.117E)
Network: 94-RIPE
domain: zlkon.lv
admin-c: 86617-LUMII
tech-c: 86617-LUMII
nserver: ns1.zlkon.lv
nserver: ns2.zlkon.lv
changed: dns-regnic dot lv 20081121
source: LUMII

person:
address: none
phone: +371 26330593
e-mail: arkadzi dot daniyelianzlkon dot lv
nic-hdl: 86617-LUMII
source: LUMII

File Info Description
Report Generated 25.1.2009 at 0.32.30 (GMT 1)
Time for scan: 31 seconds
Filename: FlashPlayer.v3.181.exe
File size: 110 KB
MD5 Hash: D3EE381464C72DA4671C1B8F15A8281B
SHA1 Hash: B48EA7824B3DFC130FBF200BE7AB5D1D7ED96484
CRC32: 3376619150
Application Type: Executable (EXE) 32bit
Packer detected: Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 24 (12,5 %)

Antivirus Sig Version Result
a-squared 25/01/2009 Nothing found!
Avira AntiVir 7.1.1.173 Nothing found!
Avast 090124-0 NSIS:Fasec [Trj]
AVG 270.10.7/1893 Nothing found!
BitDefender 25/01/2009 Nothing found!
ClamAV 25/01/2009 Nothing found!
Comodo 944 Nothing found!
Dr.Web 25/01/2009 Nothing found!
Ewido 25/01/2009 Nothing found!
F-PROT 6 20090124 Nothing found!
G DATA 19.2579 Packed.Win32.Tdss.a A
IkarusT3 24/01/2009 Nothing found!
Kaspersky 25/01/2009 Packed.Win32.Tdss.a
McAfee 17/01/2009 Nothing found!
MHR (Malware Hash Registry) 25/01/2009 Nothing found!
NOD32 v3 3796 Nothing found!
Norman 2009/01/23 Nothing found!
Panda 21/01/2009 Nothing found!
QuickHeal 24 January, 2009 Nothing found!
Solo Antivirus 25/01/2009 Nothing found!
Sophos 25/01/2009 Nothing found!
TrendMicro 791(579100) Nothing found!
VBA32 25/01/2009 Nothing found!
VirusBuster 10.100.37 Nothing found!

Trojan.DNSChanger.Gen is a generic class of trojans that reconfigure DNS
(Domain Name Server) settings on compromised machines in order to ensure
that all network requests from those PCs are directed to servers and
networks controlled by malicious parties, who can then inject malicious
content into otherwise legitimate web pages or even redirect requests for
standard web sites to bogus, malicious web sites.

McAfeeï¼šGoogleé–‹ç™¼è€…ç¶²ç«™è¢«ç”¨ä¾†æ•£ä½ˆæƒ¡æ„è»Ÿé«” January 14, 2009 9:00PM

[...] McAfee Avert Labså®‰å…¨ç ”ç©¶ä¸»ä»»Dave MarcusæŒ‡å‡ºï¼ŒGoogle Codeæ˜¯ç‚ºç¨‹å¼è¨è¨ˆå¸«ä»£ç®¡é–‹ç™¼è¨ˆç•«å’Œç¨‹å¼ç¢¼çš„ç¶²ç«™ã€‚é™¤äº†åˆæ³•çš„ç¨‹å¼ä¹‹å¤–ï¼Œé‚„æœ‰å¼•å°Žä½¿ç”¨è€…ä¸‹è¼‰éºç¼ºç·¨ç¢¼çš„å‡å½±éŸ³é€£çµã€‚ä½†é€™äº›ç¨‹å¼ç¢¼ç«Ÿæ˜¯å·å–å¯†ç¢¼å’Œé‡‘èžå€‹è³‡çš„æœ¨é¦¬è»Ÿé«”ã€‚ [...]

SHAN January 11, 2009 1:58AM

Thanks for the infor but can u tell me if the antivirus softwares can block such web sites

About Me

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

Google Code Project Abused by Spammers

Submit your own comments / message for this post

Comments (3)