Google sponsored links not safe?
We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place. Since the 10th April, our community intelligence network has been finding exploit detections _seemingly_ at household name sites like the Better Business Bureau and
cars.com but are actually coming from a place called smarttrack.org
masquerading as one of the legit sites.
Google searches such as the phrase BetterBusinessBureau OR "Florida Business
Opportunity Law" or "Modern cars airbags required" will turn up these
dangerous sites (more on that below). Last night our researchers discovered that one of these rogue links was the number 1 sponsored link when people entered the phrase BetterBusinessBureau. See here. It looks safe, but a mouse-over our red verdict reveals the truth.
It sure looks like it will take you to a BBB website, and that's where you end up. Here's a screensnap of the result.
First, however, it takes the unwary traveler through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on your system. The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim. (Although it specifically targets those 100, it is an equal-opportunity logger and happily logs all user ids and passwords for any webpage.)
Also, because the post logger is a browser helper object, it is part of the end-point of any SSL transaction, and can see everything in plain text, instead of encrypted.
Now, lots of links in any search engine point to infective sites, so that's not really a surprise, but this does highlight a significant issue. When you move the mouse over a normal, organic search result, google shows the url you are about to navigate to if you click. See here.
If, however, you mouse-over a sponsored result, no URL preview is shown! This means that a user has no clue where she is about to navigate to. See here. Savvy search engine users will know that often these sponsored links will take you through a
'Click-manager' or other advertising service and so seeing your browser pass
through smarttrack.org will appear benign enough.
Fortunately, google seems to have terminated that account as of about 11am est, but we detected about 20 different search strings that resulted in links to smarttrack.org, so it is not yet clear if all the links have been cleared up, but LinkScanner and SearchShield will surely reveal that over the next few days.
Labels: smarttrack bbb exploit