February 11th, 2009

Massive comment spam attack on Digg.com leads to malware

Posted by Dancho Danchev @ 12:25 pm

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware, Passwords, Social Networking Applications, Spam and Phishing, Web 2.0

Tags: Security, Cybercrime, PandaSecurity, Fake Video Codec, Rogue Security Software, Digg, Social News, Comment Spam, Dancho Danchev

According to PandaSecurity, the social news site Digg.com is among the very latest Web 2.0 services to be targeted by cybecriminals on their way to acquire legitimate traffic to their malware serving domains. The ongoing attack is far more widespread the originally stated, with +500,000 bogus comments
leading to 15 currently active malware domains, where the end user is enticed to install a fake video codec in order to view the video. Once executed, the codec attempts to trick the user that they’re infected with malware, and in order to get rid of it, a rogue security software has to be purchased.

Despite the obvious similarities with last month’s Google Video keywords poisoning attack, the comment-spam campaign at Digg.com is unique in the sense that it appears to have been active for over an year now. Let’s dissect the campaign, and explain how it works.

The cybercriminals are taking advantage of on purposely registered bogus accounts, in a combination with compromised legitimate accounts to not only post Digg stories directly leading to malware, but also, to heavily comment on legitimate and bogus stories by posting even more malware-serving links.

So basically, you have a catchy title submitted through a bogus account, with a multitude of bogus accounts commenting on it, and linking to more malware serving domains. Or exactly the opposite - bogus accounts commenting on legitimate stories since January, 2008. This practice of self-recommendation greatly reminds me a similar Ebay bot talk scheme back in 2006, where bogus accounts were automatically giving positive recommendation to fraudulent accounts, all operated by the same person/gang.

• Go through related abuse of Web 2.0 services by cybercriminals: Bogus LinkedIn profiles serving malware; Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack; Twitter being used to distribute malware; Cybercriminals syndicating Google Trends keywords to serve malware; Malware-infected WinRAR distributed through Google AdWords

Interestingly, just like in Google’s keywords poisoning campaign, no client-side vulnerabilities are used. Instead, the cybecriminals are entirely relying on the end user to download and execute the codec on their way to view the video.

Digg.com’s abuse department has already been notified of all the related malware domains used across the site.

UPDATE: The following is a complete list of the malware domains used within the comments posted at Digg.