UPDATE March 2012: So I was rereading my own blog and wondered if I got this post right. I googled and turns out it was probably a FAIL. Although Van Morrison deny’s it he bought Gigi a house in Texas and visited her and the child regularly (although she recently passed away). Guess I should have known writing about celebrity gossip, the truth will probably never really made public.
December 29th 2009 I noticed a story come across the wires about the singer Van Morrison and Gigi Lee having a baby. This was picked up by the Associated Press and many legitimate news outlets. Turns out it was a carefully orchestrated plan to drive traffic for keywords already seeded on hacked websites that redirected to mostly known fake AV malware servers (more on that at bottom). Not knowing this at the time I did a quick google search out of normal user interest and got these results…
Being the paranoid security guy I am, I immediately noticed the similarity in the URLs and that they weren’t domain’s of news sites. For example domain.com/xxx.php?=gigi%20… or domain.com/xxx.php?=van%20… Hmmmm, those don’t look like legit results to me. Welcome to the world of Blackhat SEO, I don’t presume to be the end all authority on this as Dancho Danchev and others Sophos have been tracking this for years. But this was a new twist, the bad guys were not grabbing the currently hot top search results (like when a celebrity dies) and competing with other pages to get their rank high, they INVENTED the keywords and already had the seeded keywords in Google’s page rank before attacking Van Morisson’s website! Gotta to respect the ingenuity, wish they were on the good guys side. Whatever Google is doing to counter the bad guys from gaming their page rank algorithm it isn’t working very well, although in this instance Google was working as intended. If a malware author can poison a person’s view of the web (search engine results) then the average user doesn’t have much of a chance. Turns out any one of the links redirected me to a known malware page. I followed them with Malzilla, here’s an example…
…. ALL LINKS CHANGED SLIGHTLY TO PROTECT INNOCENT….
1. First the click to Google’s search results
http [break] ://www.google.com/url?sa=t&source=web&ct=res&cd=17&ved=0CB8QFjAGOAo&url=
2. Redirects to the search result
HTTP/1.1 302 Found
Location: http [break]://xxxxxx-law.com/mvf.php?t=gigi%20lee
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Dec 2009 17:04:04 GMT
Which is a .php script that looks like it’s taking an input of “t=gigi lee” (the %20 is an encoded space) So I tried it w/o correct input and with “wget” default user-agent and was cleverly 301 redirected to cnn.com homepage, I thought that was a nice touch by the bad guys.
3. Continuing with the correct link gets me too, (hmmm random .pl domain not a good sign. No offence intended to Poland)
Date: Wed, 30 Dec 2009 17:04:12 GMT
Location: http [break]://vby1x4.xoeg .pl/in.php?t=cc&d=29-12-2009_tr2&h=xxxxxx-law.com&p=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3D…. snip….6vz49MerFAydtg
4. Then finally the below link which my endpoint HIPS stopped. Just from the link you can tell it’s a fake AV Trojan and probably a couple exploits to go along with it (I didn’t go down the rabbit hole any farther). Also I was impressed with Firefox WOT add-on (link) as I kept having to disable it to follow the redirects with FireFox. Definitely recommend it, along with no_script of course
HTTP/1.1 302 Found
Date: Wed, 30 Dec 2009 19:08:52 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
Location: http [break] ://createpc-pcscan-kokn .net/?uid=195&pid=3&ttl=e11476d0489
So I was intrigued by this .php file that they were able to upload to many websites like the example above which is a law firm in Boston Mass. I contacted several of them to tell of the infection and to ask if I could get a copy of that server side .php script, but none have done so.
So the whole thing was an elaborate scheme to get hits as it was most likely the same group of hackers that compromised the singer’s website and started the whole thing. I was wondering how they knew to upload the files with the right keywords before the news broke and had figured they must have ongoing access to adjust the keywords or replace the .php depending on the current news story, which still could be true. The AP picking up the story must have had the bad guys celebrating for sure.
From BBC news site:
The Belfast-born 64-year-old said he had been the victim of an internet hacking attack that had placed “falsehoods” on his official website. BBC News was one of several outlets to report the hoax as fact.”The comments which appeared on my website did not come from me,” he [Van Morrison] said, in a statement issued to the media. The singer said he had asked his management team to carry out an immediate investigation, adding it was the second time his website had been hacked in the last three months.
Link to MTV talking about it. They missed the point though it wasn’t an innocent hoax, it was motovated by the second oldest story book…..Money.