FortiGuard Advisory (FGA-2007-04)
Malicious Code Appears on Blogger.com Blogger.com ( Google ) is one of the most visited blog sites. Due to its popularity, hackers have started to embed malicious scripts on some blogs. These scripts have shown up on hundreds of Blogger.com sites. In some cases, a variant of the Stration mass mailer is responsible for directing traffic to the Blogger.com sites. Pharmacy ExpressOne script redirects the user to a “storefront” for Pharmacy Express. The Pharmacy Express site is a phishing site, which is designed to coax personal details and financial information from visitors. Another script downloads a 1x1 pixel image to track the browser information, such as, IP address, browser type and version, etc. While the Pharmacy Express site is hosted in China, the 1x1 pixel image is hosted on a site registered in the United States.
The Pharmacy Express phishers have been very aggressive in distributing the Pharmacy Express URL via mass mailers ( eg. Stration ). The spam message appears to link back to Blogspot.com ( screen shot below ). A blogger recognizing the domain may be more tempted to visit the link.
Honda CR450 enthusiastAnother example was discovered on March 5, and is an actual Blogger.com site that has been embedded with malicious code. The site, seemingly created by a Honda CR450 enthusiast, now infects visitors with the Wonka Trojan. The trojan is posted on a web site hosted in Russia. This site may have been chosen due to its popularity in search engines.
SummaryThe above examples represent some of the malicious web sites that use the popularity of Blogger.com (under blogspot URLS) to exploit unsuspecting users. Other popular topics commonly linked to malicious blog sites include Star Wars, school, furniture, Christmas, cars and girlfriend. Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
