Thursday, January 29, 2009

A view of the recent google video attack

Hi folks,

Dancho Danchev blogged here about an inventive new way Bad Guys were luring people to innocent videos but then redirecting them to an attack site, which would then try to trick them into installing something bad. Dancho says they'd managed to hijack 400,000 search terms, so it's quite a big attack. We detect and block the way they attempt the trickery, so we were blocking it preemptively, but it's interesting to look at our graph of the attack...

Our first detection was on January 19th, and it jumped to between 200 and 250 a day up until January 27th, when it took a sharp drop and just about disappeared on the 28th. So here's the interesting bit ... a whois lookup of the attack domain shows that it was registered on January 19th, which means we started detecting it the same day they brought it on line... and then Dancho published his blog on January 27th, and the attacks diminished dramatically on the same day (probably because he also told the security team at google on the same day, and they started cleaning out the search pages)

Now, you might be tempted to think that a couple of hundred attacks a day for not much more than a week was not much of a payoff for hijacking 400,000 search terms, but it's important to understand that this is just measuring the attacks from a single domain. They probably had lots more than that. These guys are pretty smart, without a doubt.

I don't know about you, but I think it's pretty cool when you can see data like this, and even cooler when you can explain why it's happened.




No comments: