Unsafe On Blogger: Star Wars, Girlfriends, Drugs

    March 15, 2007
    WebProNews Staff

Security firm Fortinet has found a lot of malicious code posted on Google’s Blogger service, with a mass mailer worm directing spam recipients to it in some instances.

Fortinet described how a phishing site called Pharmacy Express has a couple of illicit connections to Google. First, their spam includes a link that appears to go to Blogspot, which is Google’s domain for blogs hosted on the blogger service.

They also noted another trick used by the criminals behind Pharmacy Express:

The site is able to bypass a few automated malicious Web analysis tools by inserting “Google.com” as a keyword in its HTML search code. It also downloads a 1×1 pixel image to track the browser information, such as, IP address, browser type and version, etc. While the Pharmacy Express site is hosted in China, the 1×1 pixel image is hosted on a site registered in the United States.

Also, Fortinet found an actual Blogger site loaded with malicious code. The site, created to look like a Honda CR450 enthusiast page, delivers a Trojan to visitors. Fortinet also discovered topics like Star Wars and girlfriends linked to other Blogger sites hosting malicious code.

Scripts for a mass mailing variant of the Stration worm have been found to be responsible for churning out emails that send people to these hostile sites. Deleting suspicious messages will help reduce one’s chance of ending up with an infected system.

Don’t Buy Replica Watches From Spammers: The guy with the overcoat loaded with ‘discounted’ Rolexes, Hermes, Cartier, and other luxury brand watches has moved his scams to the web; the destination of his overcoat is unknown and probably best left unexplored.

Kelly Conley at Symantec described how replica watch spam has been hitting inboxes in very high volumes. Conley noted how a hijack attempt used by the spammer accompanies these junk messages:

The body is often a legitimate-looking message such as a newsletter, which (at the end or beginning) contains a URL to a Web site selling replica watches. The headers look like spam with the "from" and/or "subject" lines consisting of spam content. This should be a flag that lets the end user know that the message contained within is spam.

In a complete coincidence, I received one of these spams just after submitting this article. People can do themselves a favor by not giving these spammers the time of day.