Earlier this week, I researched the top websites blacklisted by Google. I've looked at more of these websites over the last three days to better understand the most common attacks.
The findings are quite disappointing. First, most infected websites are not cleaned up after three days. Webmasters should see a huge drop in their traffic, since only Internet Explorer and Opera users would not receive a warning preventing them from visiting these sites, due to the fact that other browsers use the Google Safebrowsing blacklist. This also means that the owners of these very popular websites have not invested in keeping their website safe, or at least in solutions to detect the blacklisting of their pages, traffic anomalies, or the detection of malicious content.
still not educated enough to recognize fake software updates and still fall for the same old tricks.
These users won't get much help from their antivirus either. The detection rate of new malicious executables is very low, usually below 25%.
Here are some of the very recognizable malicious landing pages.
Fake Flash Updates
This is exactly the same attack we described in October 2011 (Naked Emma Watson video). A website that looks a lot like YouTube, claims that Flash must be upgraded to watch the sex video of some celebrity.
|Fake Youtube page|
|Warning about Flash upgrade|
Only 9 AV vendors out of 42
detect the fake Flash upgrade executable as maliciousFake AV
This one looks different than the usual fake AV pages
, as it is just an image with no animation.
|Fake AV page|
Detected by 12 AV engines out of 42
A common way for spammers to profit from users is to get them to do "free" trials in order to earn a gift (or so they claim). This type of scam is very, very common
. It's amazing that is still works.
In this example, the spammer uses a fake Youtube page to make the scam appear more legitimate.
There are many ways to know when your website is blacklisted. For example, you can register a free account with Google Webmaster Tools
. Then look under Health
for any indication of blacklisting. You can also check the Google Safe Browsing diagnostic page for your domain at http://www.google.com/safebrowsing/diagnostic?site=mysite.com
. This will tell you not only if your domain is blocked, but also if a portion of your site is compromised before
you actually get blacklisted. Finally, you can do some automated checks with the Google Safe Browsing Lookup API
. We have released libraries to interact with the API using Perl, Python and Ruby