Friday, March 5, 2010

Social Engineering Attacks Against Blogger Blogs

This month, we are seeing what appears to be the fourth identified social engineering attack against Blogger blogging, in as many months.

In December 2009, we saw a "blogoholic.info" hijack.

In January 2010, we saw a "smashingfeeds.com" / "searchinvented.com" hijack, most commonly involving a "Tweet This" accessory.

In February 2010, we saw a "sendptp.com" hijack, most commonly involving a "falling snow" / "falling hearts" (for Valentines Day) gadget.

This month, we are seeing a "deplayer.net" hijack, apparently involving various "visit counter" / "countdown timer" and "music accessory" gadgets.

Each month, some reports also mention gadgets identified in previous months, also redirecting to the hijack of the month URL. This makes the observed activity very likely to be part of an organised, persistent attack.

The most recently identified attacks use aggressively protected code, and may require manual de install procedures.

Please, be careful of any non Blogger accessory. If you (your blog) are the victim of any such accessory, and can identify where you got the accessory, or where it was recommended to you, your information could be valuable here.


It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.


>> Top

18 comments:

  1. My blog was hijacked this morning by the "Realtime Hit Counter" gadget causing a re-direction to sendptp.com and deplayer.net. Removing the gadget fixed the problem. Unfortunately, Blogger doesn't have a mechanism available to report this.

    ReplyDelete
  2. Hey Chuck ~ Do you know how/when Google is stepping in itself to fix this problem/snafu/agitation . . . as it sure is widespread right now . . .

    Thanks, and hey Chuck will you keep me posted?

    Absolutely*Kate
    AT THE BIJOU ... you can surely follow when you're able to get there ...

    ReplyDelete
  3. Kate,

    Any update that I get, I'll post here.

    ReplyDelete
  4. Lee,

    Blogger doesn't have a reporting mechanism, because this problem isn't their responsibility, by default. We are responsible for the content of our blogs, especially if we install non Blogger code.

    ReplyDelete
  5. Hey Lee -- Highjacked too, I bailed out of the Hit Counter and the World Maps -- have been reading up on other's problems and found the widget clock (Trivium Shogun) that came from Blogger's "add a gadget" is the culprit --

    The sucker won't go away when you hit "Remove" -- it just flashes deplayer.net at me.

    LEE? CHUCK?
    Got some ideas in how to remove this stubborn critter?

    HELP and THANKS,
    Kate
    AT THE BIJOU

    ReplyDelete
  6. Kate,

    Don't use "Page Elements", except to find out the Gadget ID ("HTMLnn"). Only use "Edit HTML", to remove the bad code.

    ReplyDelete
  7. Kate: The "Realtime Hit Counter" seemed to function fine for several days, then started redirecting to the ad sites. I don't know if the gadget itself was hijacked or if it is a bogus gadget. In any case, I removed it simply by hitting the "Remove" button. No problem for me in doing that. The hijack issue was fixed instantly.

    Chuck: I understand your comment about taking responsibility for our content. However, this is a gadget that is listed on the Blogger list of gadgets. The fact that they list them and make them available would seem to imply that they are supported. It seems , at least, that Blogger should be informed of problems and that they would remove gadgets that don't work or those that contain harmful code. However, there is no mechanism for informing them.

    ReplyDelete
  8. Chuck and Lee! You two gents are class acts indeed to share your skills.

    GUESS WHAT?

    I DID IT! I DID IT!
    Actually about half-an-hour before I found your responses ... I realized from other folks' gripes that after bailing out on my hit-counters and world-mappers, that there was still a site clock. Hadn't thought of it before and figgered I'd fully de-widgeted down, as this had come from Blogger's list of renown.

    Well -- once the sucker failed to "remove" when told to, I went to the HTML code and honed in on just where his location was, between other features on my right side wall.

    TA DAHHHHHH! I'm dancing in the aisles of my theatah now!

    Please come see it - visit - take a browse and know I'll follow you guys too. Good weekend and Great hanging with you through this prob.

    Absolutely*Kate
    AT THE BIJOU
    http://at-the-bijou.blogspot.com/

    WoooHooo!

    ReplyDelete
  9. Lee,

    If the "Realtime Hit Counter" is listed on the Blogger list of gadgets, The Real Blogger Status is now the official reporting place.

    I will feed this to Blogger.

    I am now accepting comments in my Real Blogger Status post Some Hijack Malware Is Being Claimed To Be Blogger Provided, and requesting details of any suspected Blogger provided malware.

    ReplyDelete
  10. Awesome, Kate! Thanks for sharing that with us!!

    ReplyDelete
  11. Aw gee Chuck, ya made me smile so gosh'darn large.

    Lee's sure right though -- where you'd least expect it ... mine was the clock right outta the Blogger-provided bag of "Add a Gadget".

    I'm lettin' folks figure out what time it is on their own from now on.

    G'night guys ...
    ~ Absolutely*Kate

    ReplyDelete
  12. OK guys this is how I solved it. I went to the edit page, went to the edit gadgets and just systematicly started deleting everything on my blog. then, I came on my Martin Luthor King Jr Quotes Widget, and my avasti spyware went off bells and clangs, then it went nuts. BUT I aborted the connection, then very quickly went back into it and clicked on remove and ok before the avasti kicked in with the abort connection, and that solved it. WHEW just thought I would share this with everyone it might help

    I also changed my settings to other bloggers only, AND changed my google password as well

    ReplyDelete
  13. Hi! I received an email today from a viewer that said my blog had a virus on it. He was thinking it was from the last ad he had clicked on. All was well, but when he went to leave my site, it went crazy and one page right after another of my site started popping up - up to 20 pages then he had to turn his computer off. I got on here tonight and saw that there were problems with the hit counters, so I removed them from all three of my blogs. "Totally Free Counters" Sure hope that fixes it. Was really glad to find this blog about it all tonight. Thanks!
    Tentfire http://woodfire-recipes.blogspot.com

    ReplyDelete
  14. Deplayer.net/ptp.html was the culprit in my blogger's case, lurking in the clock/calendar widget installed in January, when I updated the blog template.

    Hardly get any visitors, but I like looking at my blog and post things I can link to, works like an extension of my memory for me, so was very miffed to notice the unauthorised redirection. Thank you to Nitecruzr for problem-solving information.

    ReplyDelete
  15. Dear Chuck
    I started my first ever blog today
    and feel very fortunate to find your blog. How can I follow you.
    Thank you
    Mark Ward

    ReplyDelete
  16. Hi Mark,

    I have Followers gadgets on all of my blogs. Pick any that interest you, and Follow. You are knowledgeable about Following, I hope?

    ReplyDelete
  17. Hello Chuck, I am new to blogging and so, basically, just about grappling with every little thing associated with the activity. This practically means I cannot even tell apart 'Widgets' to 'follow' links - leave alone edit HMTLs (or is it HTMLs?).

    I am glad to have come across your site here. May I remind you that i shall be pestering you with tons of queries and problems (like I said i can't tell 'dashboard' to 'Customize HMTLs)! Thank you for your wonderful resource.

    ReplyDelete
  18. Well, I just added a widget for CanadianPlanet directory on my blog - sure hope that it's legitimate!
    I am not too saavy about all these problems about social engineering attacks...I'll be more wary in future:-)

    ReplyDelete