Gaddafi search poisoning

Here's an example of search poisoning somewhat similar to that predicted by Stephen Cobb using the death of Gaddafi as a hook, noted by our colleague Raphael Labaca Castro, of ESET Latin America. The original blog is in Spanish. Raphael reports an email that comes with the following title (in Portuguese, suggesting that Brazilian Internet users are being targeted):

FW: Nossa. Acabei de receber este video do ex-lider da Libia, Kadhafi, sendo capturado e morto em plena praca publica.

Portuguese isn't one of my accomplishments, but Babel Fish gives us this literal translation: well, you get the idea…

FW: Ours. I finished to receive this video from the former-leader of Libya, Kadhafi, being captured and died in full square it publishes.

This deceptive URL appears to link to a well known Brazilian media site. However, clicking on it results in the victim being redirected without his knowledge to a .kr (South Korea) web site, and the result is download and infection by a banking Trojan of the family that ESET products detect as Win32/Qhost.

The Trojan modifies C:WINDOWSsystem32driversetchosts.txt so that when the user is using a home banking service, he is redirected to a page that looks like a real banking site but is really a fake, set up trick the victim into giving up his credentials. This type of phishing attack, implemented by modifying the hosts file, is sometimes referred to as local pharming.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

 

 

Author David Harley, ESET

  • Jason Bowen

    I am happy to see these kinds of post available. I wish to see more of these published to your facebook page.

    • David Harley

      I don’t have much to do with ESET’s FB pages, but I’ll see what I can do.

  • Silvio Gissi

    A better translation for the title: "FW: Wow. I just received this video of Libya's former leader, Kadhafi, being captured and killed in plein public square"

    • David Harley

      Thanks. I’m still puzzled by “plein”: I know that’s French for full, and Babelfish tells me that “plena” (as in the original title) is the Portuguese equivalent. Does the expression mean something like in “full public view”? (Which doesn’t seem to have been the case, but obviously we’re not looking for historical accuracy here.)

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
20 Oct 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.