Attack Utilizes Vanity Searches to Target Executives

Tuesday, March 29, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Trusteer CEO

VIGNS" - short for "Vanity Infection from Google News Searches" - and the purpose is to create the circumstance where the targeted victim will enable the attacker to circumvent security measures and infect the executive's computer with malware.

Boodaei explains that first the attacker probably scouts out prospective target using information available on the web, particularly social networks such as LinkedIn.

Next, the attacker creates a webpage infected with malicious code and releases it through various means, including legitimate servers that may be compromised and under the attacker's control.

The page is designed to exploit a zero-day vulnerability that has not yet been mitigated by commercial security software. All they need now is for the target to visit the webpage, and thus infect themselves.

"But how do they get the victim to visit this page? With the help of Google - and their own vanity - of course. Most executives tend to have a Google Alert set up on their name. By placing the victim's name within the malicious webpage, it is possible to get Google to index the page and generate a Google Alert on the executive's name. The executive will receive the alert and will most likely click the link  to check on who is mentioning him/her. Clicking the link will take the executive to a malicious webpage which will then infect their computer. Simple," Boodaei writes.

He goes on to enumerate several tactics that enable the attack method to escape detection by security software:

  • The attackers can wait to infect the baited page until after they know that Google has indexed the page, reducing the likelihood the malicious code will be discovered prior to an infection opportunity
  • The attackers can monitor the infected site closely to determine if the target has been infected, then remove the site immediately, which reduces the likelihood the malware will be detected and an alert issued
  • The attackers can enable the infected site to automatically redirect the victim to a legitimate webpage after infection, reducing the likelihood the victim will become suspicious
  • Another method is to block all bots from visiting the page, save for those needed for indexing - in this example, Google
  • Using hacker tricks of the trade such as frequently changing malware variants to avoid signature detection, and designing the malware to automatically remove itself if it infects a non-target's computer

Boodaei states that this is example illustrates a simple attack method, and that there are other methods even more complex and all but impossible to avoid.

"So how do you protect against this type of attack? Being cautious is not enough. I consider myself to be  fairly sophisticated when it comes to  security awareness, yet I would easily fall for this type of attack. Keeping systems and anti-virus up to date won't help either as the attack uses zero-day unpatched exploits and the malware is completely unknown to anti-virus vendors," Boodaei wrote.

Source:  http://www.trusteer.com/blog/google-alert-get-your-malware-here

Possibly Related Articles:
9914
Viruses & Malware
Zero Day malware Methodologies Attacks Headlines hackers Executives Vanity Search
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked