Welcome to WebmasterWorld Guest from

Message Too Old, No Replies

Coordinated campaign to rank malware pages on Google?


Sweet Cognac

3:27 am on Nov 28, 2007 (gmt 0)

10+ Year Member

A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers say.
Gregg Keizer, Computerworld

Article on PCWorld


4:14 am on Nov 28, 2007 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

"So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages."

Hmmm... that's not exactly massive in my book. The article says "many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends." Sounds like PCWorld is just now catching up with our discussion from September [webmasterworld.com]. If so, they're really late to the party and that's why they only found 27 domains. Google's has already been onto this scheme for many weeks.


4:27 am on Nov 28, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Ha. Slow news day.

That goes along with a report by NBC that <in a stocking voice>
"Companies even go so far as to buy ads on Google to get #1 placement for CyberMonday and the holiday season!"

Is MSM really that far behind the "internet" curve, still?


1:33 am on Nov 30, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

< Admin note: This new story indicates that something new
has been going on - much more than we first thought. >


The BBC reports that Google has taken down tonnes of domains carrying malicious code. Most of the domains seem to be the previously discussed chinese domain extension and showing up at the top of the SERPs for innocent searches.

What seems interesting but the article doesn't explain fully is that it appears the malicious code only appears from Google referals. MSN and Yahoo referals don't seem to trigger it.

[edited by: tedster at 2:02 am (utc) on Nov. 30, 2007]


2:48 pm on Dec 1, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

A followup to this post, looks like the groups involved have launched a fresh new attack after google purged the original results:


They appear to be pushing Spy-shredder, a malicious app pretending to be a Spyware buster on pages usually on a large amount of fresh .cn domains, with numbered html pages.

There is a very good explination of the attacks here:

< note: the Register article
also links to the Sunbelt Blog >

[edited by: tedster at 5:28 pm (utc) on Dec. 1, 2007]


Featured Threads

Hot Threads This Week

Hot Threads This Month