We have seen in recent times that malicious binaries are spreading through social engineering attack vectors like spam emails, phishing, and social networking sites. This time we have found that attackers have begun targeting free online service sites and our example is based on Google Notebook, although these attacks are not unique to this site. Attackers have started to use Google Notebook as a new social engineering attack vector to spread misleading applications. Misleading applications attempt to convince the user that he or she must remove potentially unwanted programs or security risks (usually nonexistent or fake) from the computer.
Google Notebook is a free online service that provides a way to save and share information in a single location. This free service offers a feature to save search results, notes, or images online and allow users to share these artifacts with others. Users can create notes with headings and within each note they can add more content, such as links etc.
Attackers are now taking advantage of this free service to create an attack vector to push misleading applications onto the victims' machines. While researching this problem we found cases where victims were invited to click on a malicious link. We found one author's notebook with more than 50 notes, including fake information and more malicious links. Below is a screenshot to better illustrate what has been found:
When you look closely at the "Last edited" column in the above image, you will see that they are very recent posts. Clicking on the associated links lead to author's notebook pages, where the pages contain fake information and malicious links. Below is a screenshot from clicking on the "Microsoft Windows History" link:
Based on the contents, the victim is invited to click on the links to get additional information, but ends up getting fake pop-up messages generated by fake Web sites hosting misleading applications. Here is an example of one such pop-up message:
When the victim clicks the OK button, a fake antivirus installer is downloaded to the victim's machine. The link on the "Microsoft Windows History" page contains a link to "hxxp://anitspy<removed>.com". This link will redirect the page to "hxxp://<removed>llab.com". If it is a user's first visit to the site, then the site will redirect that Web page to a malicious Web site (hxxp://<removed>pc.com), which serves up a misleading application. In other instances the page will be redirected to a search site called "hxxp://<removed>searcher.com," where the user will see an advertisement to download fake antivirus software. The complete scenario makes it seem as if attackers are running underground affiliate networks to promote misleading applications.
Social engineering attacks that involve victims who are tricked into clicking on malicious links are not new; however, now the attackers have started using free service sites as a new attack vector to push their misleading applications. Symantec has built excellent safe browsing features in its 2008 solutions and continues to enhance protection technologies in its upcoming 2009 product offerings. Symantec continues to detect misleading applications, including those mentioned above. We recommend that you keep your computer and Internet security products and definitions up-to-date, patch your systems, and run your Web browser with limited options enabled.