Did I just wander into a Blackhat SEO attack?

Discussion in 'malware problems & news' started by Carbonyl, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Interesting little problem I had this evening. I needed to make a Paypal payment, but made the mistake of trying to make it while tired. Instead of using the URL bar, I punched "Paypal" into Google, for some reason (aforementioned lack of rest, probably). Not thinking, I clicked the first link - Which wasn't a link at all, but a Google Ad:

    http://i47.tinypic.com/5a2lvq.jpg

    I immediately knew something was wrong, because I landed on a blank white page with a weird URL (For the sake of completeness, The first one was hxxp://www.google.com/aclk?[lots of random letters and numbers I won't include here], which redirected me to hxxp://altfarm.mediaplex.com/ad/ck/[Yet more random letters and numbers I won't include] ). I browse in Opera 10.54 with javascript on a whitelist, so I assume this altfarm site didn't have javascript permissions to do anything else.

    Afterward, I got a little panicked, and immediately killed the browser. I'm running Opera inside Sandboxie, but my settings combined with the fact that I run on x64 Windows 7 Professional mean that (maybe) Sandboxie isn't so safe. Regardless, it auto-purged the sandbox immediately after I terminated Opera. At any rate, NOD32 didn't pick up anything, either.

    Was this one of the "Blackhat SEO" attacks I hear so much about? I know, of course, that I should be using the URL bar for everything - and I sure will now! - But I'm wondering if I'm at any risk here from the misclicked link that I foolishly followed.

    Edit: Another quick Google search reveals that the altfarm.mediaplex.com/ad/ck/ domain is associated with an endless list of malware and nasties. I hate the fact that the topmost google link is almost always malware these days... How much of a risk am I at after having clicked, if I didn't see any popup or installation attempt? Could something have gone through silently? Are the security measures I have in place sufficient, I hope? Any help would be very appreciated. Thanks!
     
  2. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    My gut hunch is you're fine. You are running as a Standard User, right? And you never entered any personal data...
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I never entered any personal data during that browser session, no. I didn't even see any location to do so (or any webpage at all, which is what got me worried until I realized my error). I killed the browser and let Sandboxie do a purge before opening a new session, but in that new session I did log into my email and make a Paypal payment (deadlines, and no other computers around). I'm using Sandboxie's "drop rights" as well as being a standard user, too.

    Just worried, since I got pinged around to what I'd call a shady site. I remember reading several times about the net that you no longer need to agree to install malware to get infected - you just have to look at the wrong webpage.

    Edit: Just running a full Malwarebytes Antimalware scan now. It's already found 2 infected items. I can't believe this. I thought that disabling javascript and using Sandboxie would be enough to keep me protected, but apparently just clicking that link and doing nothing else was enough to infect me.
     
    Last edited: Jun 29, 2010
  4. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Update: Okay, so I'm not sure what to make of these MalwareBytes results:

    http://i45.tinypic.com/33jn1o4.jpg

    The first is a file I got from Steam and hasn't been touched in months. MalwareBytes has scanned it numerous times without complaining, and Virustotal says it's nothing to worry about.

    The second one is in a location where I certainly don't have write permissions, and I don't know what an "Extension Mismatch" means. Can any provide insight? Am I overreacting here, or ought I start to consider reformatting?
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,291
    Location:
    England
  6. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks for that! I don't know quite what to make of what they're saying there. The first bit sounds like a false positive, while the second part of the post tree looks like it might be something genuine... I do appreciate the link!

    I'm still a bit worried, since trying to email out samples to a few locations for analysis bounced off of Gmail with an 'illegal attachment' message.
     
    Last edited: Jun 29, 2010
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi

    I would change your Paypal password :thumb:

    In future if you use https://ssl.scroogle.org you won't see any ads ;) and the top link should always be the genuine Paypal.

    pps.gif

    You could do a System Restore back to before this happened, so even if you did Allow something in, it should resolve it.
     
  8. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,291
    Location:
    England
    Have you done as suggested on the MBAM forums and updated your defs and rescanned?
     
  9. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks, CloneRanger. I'll certainly never be looking at Google the same way again. I'm less concerned about that, though, and more concerned about how something could have gotten through Opera without Javascript on, without user interaction, past Sandboxie, and not set of ESET.

    I just noticed that. I had to step away from the computer in question to go to work, but once I get back home tonight I'll have to restore from quarantine and try a rescan. Thanks, stapp!
     
  10. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    So, just took a moment here at work to look at the altfarm.mediaplex.com redirect thing from Google on a Linux machine. I managed to grab the page source.

    Code:
    <html><head><title></title>
    <script language="JavaScript1.1">
    <!--
    window.location.replace("https://www.paypal.com/cgi-bin/marketingweb?cmd=_home-general&nav=0&kw=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&mplx=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&crlp=4836762008&mpch=ads");
    //-->
    </script>
    <noscript>
    <meta http-equiv="refresh" content="0;URL=https://www.paypal.com/cgi-bin/marketingweb?cmd=_home-general&nav=0&kw=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&mplx=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&crlp=4836762008&mpch=ads">
    </noscript>
    </head><body><a href="https://www.paypal.com/cgi-bin/marketingweb?cmd=_home-general&nav=0&kw=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&mplx=AGID_LA_GSR1_TM_PPGNGen_EX_Head_KWID_KYWD_ADID_4836762008&crlp=4836762008&mpch=ads">Click Here</a></body></html>
    I'm no expert, but I'm guessing there's nothing terrible nasty here as far as malware? Looks like maybe some web-tracking, but that's all... Then again, I could be wrong!

    Between this revelation, and the multiple reports of false positives (on both issues) over at Malwarebyets, something tells me this has just been a series of coincidences, and that I've been overreacting. If that is the case, I'm sure sorry to everyone here for letting my paranoia get the better of me!
     
  11. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,291
    Location:
    England
    I don't think you over reacted at all :)

    You were unsure about something and asked for comments about your concerns.
     
Loading...
Thread Status:
Not open for further replies.