Here's an example of search poisoning somewhat similar to that predicted by Stephen Cobb using the death of Gaddafi as a hook, noted by our colleague Raphael Labaca Castro, of ESET Latin America. The original blog is in Spanish.
Raphael reports an email that comes with the following title (in Portuguese, suggesting that Brazilian Internet users are being targeted):
FW: Nossa. Acabei de receber este video do ex-lider da Libia, Kadhafi, sendo capturado e morto em plena praca publica.
Portuguese isn't one of my accomplishments, but Babel Fish gives us this literal translation: well, you get the idea…
FW: Ours. I finished to receive this video from the former-leader of Libya, Kadhafi, being captured and died in full square it publishes.
This deceptive URL appears to link to a well known Brazilian media site. However, clicking on it results in the victim being redirected without his knowledge to a .kr (South Korea) web site, and the result is download and infection by a banking Trojan of the family that ESET products detect as Win32/Qhost.
The Trojan modifies C:\WINDOWS\system32\drivers\etc\hosts.txt so that when the user is using a home banking service, he is redirected to a page that looks like a real banking site but is really a fake, set up trick the victim into giving up his credentials. This type of phishing attack, implemented by modifying the hosts file, is sometimes referred to as local pharming.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply
