Windows Live is “everything you need, allin one place” and it looks like the search engine really does know whatexactly it is that Italians need! Today, we came across a story thatwas reported by Sunbelt about a takeover of the Italian version of theWindows Live search engine. We decided to do a bit more investigatinginto those rumors.
At the moment, the problem is that when someone searches acombination of specific Italian keywords on the Windows Live portal,that person will always get a set of weird links in the search results.These weird links will most likely be related to the Linkoptimizer gang(aka Gromozon)—so this likely means that the Gromozon gang has managedto take over and manipulate the search results of Windows Live bygetting their links to end up on the top of the search result lists.
This type of issue is not new. Google was already targeted by thesame gang during the first Gromozon outbreak in 2006, as we reported inour previous blog post. It’s a “Google bomb” attack or, in this case, we should call it a “Live bomb” attack. To quote Wikipedia: “Googlebomb (also referred to as a 'link bomb') is Internet slang for acertain kind of attempt to influence the ranking of a given page inresults returned by the Google search engine, often with humorous orpolitical intentions."
Some blog readers were wondering how the Gromozon gang was able toaccomplish this. Initially, the bad guys would have meticulouslyselected a list of “hot” keywords—words that referenced things everyoneneeds or words that are just very popular on search engines. And, thelist is huge. We’re reporting on only a sample set of those keywords asan example, shown below (with a rough English translation):
ricetta baci perugina (popular Italian chocolates)
contratto collettivo colf (type of work contact)
finanziamento online (online mortgage)
cerco lavoro nave crociera (search job ship cruise)
fastweb wind tele2 (some popular Italian mobile providers)
traduzione testo canzone (translation lyric song)
ministero sanita iscrizione (health subscription)
modella calendario (model calendar)
giubbotto pelle (jacket leather)
incontro annuncio personale (personal announcement)
Next, the gang registered a large number of domain names using otherItalian words. They created those new domains with different Web spaceproviders, using names that are permutations or modifications of thekeywords mentioned above. The URL format used by the gang looks similarto the following link:
For example, if we consider the word “giubbotto” (jacket), we caneasily spot all of the following permutations that are associated withGromozon domains:
hxxp://7.altruidismala.com/giubbottouomoinpelle hxxp://19.unavisita.com/giubbottouomopellehxxp://9.siscambiavano.com/giubbottouomopradahxxp://8.divertivano.com/giubbotto-nikehxxp://20.riputazione.com/giubbotto-salvataggiohxxp://10.suasalute.com/giubbottosmanicatohxxp://5.irradiazione.com/napapijri-giubbottohxxp://10.proporzione.com/giubbotto-belstaffhxxp://3.madrivolesti.com/giubbottouomoinpellehxxp://2.costretto.com/giubbotto-woolrich-cordura hxxp://1.piantandosi.com/giubbotto-dainese hxxp://9.galantuomini.com/giubbotto-moto hxxp://10.cercassero.com/moncler-giubbottohxxp://11.stendevasi.com/giubbotto-uomo-woolrichhxxp://7.ecavaliere.com/giubbottouomoinpellehxxp://16.divertivano.com/giubbotto-moto-abbigliamentohxxp://12.riguarda.org/giubbottowoolrichhxxp://19.circostanze.com/giubbotto-refrigiwear
The left column of this page has a long list of URLs that link toother weird pages. The goal is to create a sophisticated and intricatespider web of self-referenced Web pages that will get the highest rankfrom Internet search engines. That’s because search engine algorithmsanalyze how pages are linked using graph theories. The more a page isreferenced by external links, the more popular this page becomes. Theweb spider structure (the structure of pages like the ones created bythe Gromozon gang) is used to trick the search engines into displayingthe specific results the attackers want. We observed that the problemaffects Windows Live for Italy and Germany, and also some other Italianversions of other search engines (e.g. Lycos), but with a lower impact.
Thanks to Sunbelt for the original blog postabout this story. Hopefully the Windows Live team is now aware of theissue and is working to set up proper filters for those false results.