Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.
At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.
This type of issue is not new. Google was already targeted by the same gang during the first Gromozon outbreak in 2006, as we reported in our previous blog post. It’s a “Google bomb” attack or, in this case, we should call it a “Live bomb” attack. To quote Wikipedia: “Google bomb (also referred to as a 'link bomb') is Internet slang for a certain kind of attempt to influence the ranking of a given page in results returned by the Google search engine, often with humorous or political intentions."
Some blog readers were wondering how the Gromozon gang was able to accomplish this. Initially, the bad guys would have meticulously selected a list of “hot” keywords—words that referenced things everyone needs or words that are just very popular on search engines. And, the list is huge. We’re reporting on only a sample set of those keywords as an example, shown below (with a rough English translation):
ricetta baci perugina (popular Italian chocolates)
contratto collettivo colf (type of work contact)
finanziamento online (online mortgage)
cerco lavoro nave crociera (search job ship cruise)
fastweb wind tele2 (some popular Italian mobile providers)
traduzione testo canzone (translation lyric song)
ministero sanita iscrizione (health subscription)
modella calendario (model calendar)
giubbotto pelle (jacket leather)
incontro annuncio personale (personal announcement)
Next, the gang registered a large number of domain names using other Italian words. They created those new domains with different Web space providers, using names that are permutations or modifications of the keywords mentioned above. The URL format used by the gang looks similar to the following link:
http://[number].[random_italian_word].com/[keywords_permutation].
For example, if we consider the word “giubbotto” (jacket), we can easily spot all of the following permutations that are associated with Gromozon domains:
hxxp://7.altruidismala.com/giubbottouomoinpelle hxxp://19.unavisita.com/giubbottouomopelle hxxp://9.siscambiavano.com/giubbottouomoprada hxxp://8.divertivano.com/giubbotto-nike hxxp://20.riputazione.com/giubbotto-salvataggio hxxp://10.suasalute.com/giubbottosmanicato hxxp://5.irradiazione.com/napapijri-giubbotto hxxp://10.proporzione.com/giubbotto-belstaff hxxp://3.madrivolesti.com/giubbottouomoinpelle hxxp://2.costretto.com/giubbotto-woolrich-cordura hxxp://1.piantandosi.com/giubbotto-dainese hxxp://9.galantuomini.com/giubbotto-moto hxxp://10.cercassero.com/moncler-giubbotto hxxp://11.stendevasi.com/giubbotto-uomo-woolrich hxxp://7.ecavaliere.com/giubbottouomoinpelle hxxp://16.divertivano.com/giubbotto-moto-abbigliamento hxxp://12.riguarda.org/giubbottowoolrich hxxp://19.circostanze.com/giubbotto-refrigiwear
Also in this case, the list of possible URLs we have seen on the Web is huge! At this stage the gang has domain names with “hot” keywords that already ensure a good score by the search engine, but to have the maximum ranking they also need to use some other tricks. So, on each of these Web spaces they uploaded a Web page that includes links to legitimate sites that are related to a specific keyword (e.g. jacket). Each page also contains encrypted Javascript, which works as redirector (it takes users over to a different Web site). Interestingly, all of the pages display the colors of the Italian flag (green, white and red) as a background.
The left column of this page has a long list of URLs that link to other weird pages. The goal is to create a sophisticated and intricate spider web of self-referenced Web pages that will get the highest rank from Internet search engines. That’s because search engine algorithms analyze how pages are linked using graph theories. The more a page is referenced by external links, the more popular this page becomes. The web spider structure (the structure of pages like the ones created by the Gromozon gang) is used to trick the search engines into displaying the specific results the attackers want. We observed that the problem affects Windows Live for Italy and Germany, and also some other Italian versions of other search engines (e.g. Lycos), but with a lower impact.
What is the master plan of the Gromozon gang? Well, we don’t know yet, but we are expecting something even more sinister to appear sooner or later. At the moment we know that the encrypted Javascript embedded in those weird pages is redirecting users to the domains hxxp://www.itzzot.cc and hxxp://e1.extreme-dm.com. Fortunately, neither of these domains is hosting any malicious files or exploits at the moment—they just track visitors. We are going to keep an eye on this and eventually post an update if something malicious appears on those sites.
Thanks to Sunbelt for the original blog post about this story. Hopefully the Windows Live team is now aware of the issue and is working to set up proper filters for those false results.