Fake Security Blog Broadens Malware

February 4, 2008

Users thinking of using a Google-hosted blog for security information could be in for a horrible surprise according to one security expert.

The ‘Brittany’ blog, which allegedly informs users of secuity risks, is actually trying to tempt users to click on a contaminated link, said Ofer Elzam, director of product management in Aladdin’s eSafe division.

To hoax readers looking for information related to genuine security products, the blog has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, said Elzam.

Elzam said this was the first time his company had witnessed this type of exploit. An Aladdin employee initially spotted the exploit when she received a Google alert about Aladdin. But she instantly thought it looked odd.

Elzam said about the alert “This alert was about an award from a few years ago, but someone had changed the quote slightly from 2005 to 2008. There were other entries there too, related to Symantec and Trend Micro.”

Anyone who clicked on links in the Google email alert, or on the blog with the fake security vendor information, would discover themselves re-directed to a porn site and the focus of attack code that would endeavour to load malware onto their machine.

Elzam said “This is the first time we’ve seen something like this. If you get a message from a Google alert, you might think this is a service you can trust. But it’s directing you to a rogue site with fake security software. And it’s tricking Google, too.”

Google’s personal announcement of use connected with its blog service makes it lucid that Google is under no compulsion to patrol, noting that the Google blog sites “can carry offensive, harmful, inaccurate or other inappropriate material.”

Google states in its usage policy that “Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you.”

Aladdin’s Elzam speculates if other high-tech companies in the network industry are finding their content stolen and their brands influenced by malicious blog posts planned to dupe users into downloading malware.

Tom Gillis, vice president of marketing at Cisco’s IronPort division, said he wasn’t conscious of anything comparable targeting Cisco this way, but does know the practice of bogus blog postings to spread malware is a mounting development in complicated attacks.

Gillis said “They use a blog to get your attention and then drag you to a webite for downloading malware. We’re seeing this all the time now.”