Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Chile Earthquake Tragedy Used To Spread Malware

image
JULIEN SOBRIER
March 03, 2010 - 3 min read
Security Insights

Contents

  1. Article
  2. More blogs

As we've discussed multiple times, search engine optimization (SEO) is a favored tool for spreading malware. Along with the Haiti earthquake and the Winter olympics, the recent earthquake in Chile is a top news story. Unsurprisingly, attackers have already set up new websites to spread malware.

knoxhop.org/?q=hawai-tsunami-2010 is one of these malicious sites. It currently ranks from 19 to 22 for a Google search of "Chile tsunami 2010" (2nd or 3rd page). It shows up even with Safesearch on. As you can see on the screenshot, my antivirus thinks the page is safe (see the green star next to the page title added by the antivirus).

Image
Google search result for "Chile Tsunami 2010"
 
The page is typical of the malware sites I have seen recently - the harmful data is sent only if you arrive from Google search results. That is, if your referrer header contains the Google search URL. Direct access to this page, or the wrong user agent, gives you a harmless (but ugly!) web page.
Image
The harmless page with direct access
 

The malicious page is quite interesting:
 

');else if (navigator.userAgent.indexOf("Chrome")!=-1) document.write('
');else if (navigator.userAgent.indexOf("Opera")!=-1) document.write('
');else window.location=otr;


Depending on the user agent, and the OS, the user gets different content. An iframe linking to a Russian website is added for all users. It is used to count the number of people hitting this page.

Mac users get redirected to http://www.zml.com/?did=5663. This is an affiliate link to the movie download site zml.com.

Chrome and Firefox users get an iframe to http://89.248.160.238/page.php?id=46 which contains obfuscated javascript. This URL is blocked by Firefox as a known malicious site.

 

 

Image

 

 

Firefox warning


Internet Explorer and Opera browsers get an iframe to a fakeAV page.

With every new big events come new malware pages. Be aware of unknown website, even if the are displayed as top results on Google, and shown as safe by your antivirus!

 - Julien

form submtited
Thank you for reading

Was this post useful?

vote yes
Yes, very!
vote no
Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Read post
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Read post
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Read post
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Read post

01 / 02

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.