Incident Response, Malware, Phishing, TDR

Google Blogspots redirecting to fake Bhutto videos


Updated Thursday, Jan. 3, 2008 at 1:33 p.m. EST

A number of Google Blogspot pages that promise video of the assassination of former Pakistani Prime Minister Benazir Bhutto remain active today, security researchers said.

Alex Eckelberry, president of anti-malware provider Sunbelt Software, said users searching Google for video of the assassination may click on what appear to be legitimate Blogspot pages but are redirected to sites pushing fake codecs.

If they click to install the codecs – said to be needed to watch the video – their PCs are infected with malware that will change DNS settings and hit users with pop-up ads to purchase fake anti-spyware products, Eckelberry told today.

"Blogspot has become a pretty good haven for these guys these days," said Eckelberry, who began spotting similar attacks several months ago. "These Blogger pages are supposedly well optimized for Google, and it's places (for attackers) to land, just like (Yahoo) GeoCities and other free hosting sites."

Meanwhile, researcher Tom Mercado, who runs TeMerc Internet Countermeasures, told today that he recently noticed a much more alarming type of attack on Blogspot that can infect users without any interaction on their part.

In that case, Blogspot readers using the "Next Blog" feature, which randomly takes users to another blog, could find themselves on a malicious page that automatically installs malicious files onto their machines.

"It's just land on the site and, pow, get hit," Mercado said, adding that users whose PCs are fully patched and running updated anti-virus may be able avoid infection.

He said that around Christmas, he noticed several hundred of these blogs, which attempt to install bogus codec files.

"It's all about someone getting a certain amount of money for every install," Mercado said.

Despite Google claiming to shut down any hosted sites that violate its terms of service, security experts believe this style of attack may continue.

"Once they see they can get away with it, they're going to increase the number," Mercado said. "It can exponentially get really bad."

A Google spokesperson said that while there is no security hole on Blogspot, the company will remove any sites that spread spam or point users to malware

"Google takes the security of our users very seriously," the spokesperson said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.