Analysis of An Advanced, Ongoing Spam Attack

It might be a post-mortem issue for spinn3r and Tailrank, but Jonathan Moore writes up this incredibly detailed post about uncovering one of the most advanced spam tactics (attacks) he’s seen yet, and goes into detail about how the spammers are using .edu domains (and other high-ranking blogs) to attain high page ranks in searches — discovered when Tailrank/spinn3r saw something was putting spam into their crawler’s database. In this post, Jonathan writes a detailed analysis of what they found, like contents of what people would get when they innocently clicked on a .edu (or unwitting high-ranking blog’s) page:

Content of the Attack Page
The attack page contains a DHTML application that pretends to scan the victims computer for malware and then offers a windows .exe that will supposedly cleans the computer of the malware that it “found.”
In reality, the .exe is almost certainly itself malware. The Ajax was very well executed and looked identical to a Windows dialog box:
The code was also written to customize itself depending on what version of windows was running and if the browser was Internet Explorer (…)
(…) The attacker tracked the referrer to detect which SEO spam campaigns and keywords were successful on specific doorway pages.
They can then use this data to determine which campaigns were most successful and focus their efforts on improving conversion.

As you can see (if you dare), some of the examples he cites are still affected, and he writes in the post he thinks it took considerable work and thought to execute what might be a pretty widespread problem, “All of these steps adds up to make this a very advanced attack. The attack probably took one-two man months of work to achieve.” Expect a follow-up post soon (I’ll update here, too) from Jonathan about how the attacker was getting links into the .edu domains. Jonathan tells me that what the attackers are doing is virtually invisible to the people who own the blogs and .edu domains — until their page rank disappears off Google and they wonder why.

Possibly related posts: