Mystic
03-18-2007, 12:20 AM
Blogger.com ( Google ) is one of the most visited blog sites. Due to its popularity, hackers have started to embed malicious scripts on some blogs. These scripts have shown up on hundreds of Blogger.com sites. In some cases, a variant of the Stration mass mailer is responsible for directing traffic to the Blogger.com sites.
Pharmacy Express
One script redirects the user to a “storefront” for Pharmacy Express. The Pharmacy Express site is a phishing site, which is designed to coax personal details and financial information from visitors.
Another script downloads a 1x1 pixel image to track the browser information, such as, IP address, browser type and version, etc. While the Pharmacy Express site is hosted in China, the 1x1 pixel image is hosted on a site registered in the United States.
The Pharmacy Express phishers have been very aggressive in distributing the Pharmacy Express URL via mass mailers ( eg. Stration ). The spam message appears to link back to Blogspot.com ( screen shot below ). A blogger recognizing the domain may be more tempted to visit the link.
Honda CR450 enthusiast
Another example was discovered on March 5, and is an actual Blogger.com site that has been embedded with malicious code. The site, seemingly created by a Honda CR450 enthusiast, now infects visitors with the Wonka Trojan. The trojan is posted on a web site hosted in Russia. This site may have been chosen due to its popularity in search engines.
Summary
The above examples represent some of the malicious web sites that use the popularity of Blogger.com (under blogspot URLS) to exploit unsuspecting users. Other popular topics commonly linked to malicious blog sites include Star Wars, school, furniture, Christmas, cars and girlfriend.
More Info (http://www.fortiguardcenter.com/advisory/FGA-2007-04.html)
Pharmacy Express
One script redirects the user to a “storefront” for Pharmacy Express. The Pharmacy Express site is a phishing site, which is designed to coax personal details and financial information from visitors.
Another script downloads a 1x1 pixel image to track the browser information, such as, IP address, browser type and version, etc. While the Pharmacy Express site is hosted in China, the 1x1 pixel image is hosted on a site registered in the United States.
The Pharmacy Express phishers have been very aggressive in distributing the Pharmacy Express URL via mass mailers ( eg. Stration ). The spam message appears to link back to Blogspot.com ( screen shot below ). A blogger recognizing the domain may be more tempted to visit the link.
Honda CR450 enthusiast
Another example was discovered on March 5, and is an actual Blogger.com site that has been embedded with malicious code. The site, seemingly created by a Honda CR450 enthusiast, now infects visitors with the Wonka Trojan. The trojan is posted on a web site hosted in Russia. This site may have been chosen due to its popularity in search engines.
Summary
The above examples represent some of the malicious web sites that use the popularity of Blogger.com (under blogspot URLS) to exploit unsuspecting users. Other popular topics commonly linked to malicious blog sites include Star Wars, school, furniture, Christmas, cars and girlfriend.
More Info (http://www.fortiguardcenter.com/advisory/FGA-2007-04.html)