Google users fooled by new Gumblar compromises

ScanSafe announced the discovery of a new series of website compromises, collectively dubbed “Gumblar”. The compromises continue to grow exponentially and have already infected over 1,500 websites, including Tennis.com, Variety.com and Coldwellbanker.com, among others. In the last week alone, the Gumblar website compromises grew another 80% – surpassing the growth rate of any previously known compromise in the same time frame.

Gumblar is believed to be growing rapidly due to its unique combination of characteristics. When a Web user visits an infected site, their computer is at risk for Gumblar infection. They may then be susceptible to viewing faux search results when they use Google’s search engine. If they mistakenly click on an imposter result, Gumblar forcibly redirects them to fraudulent websites. Many of these pages are imitations of popular websites, leading the victim to believe they are visiting a legitimate site.

The resulting malware could grant cyber criminals control of the victim’s computer, leading to a myriad of security issues, including personal data theft and stolen FTP credentials. Once cyber criminals are in possession of a victim’s FTP credentials, any sites that victim manages can also be targeted for compromise – a common malware propagation tactic.

“Because of the complexity of the Gumblar compromises, detection via traditional methods, like signature detection and blacklisting, are ineffective,” said Mary Landesman, senior security researcher at ScanSafe. “Gumblar’s sophistication and incredible growth rate should serve as a wake up call to the IT community. As cybercrime evolves in sophistication, so must our protection against it.”

Google immediately delisted the compromised websites upon discovering the breach. However, in early May, the attackers caught wind of this and began replacing the suspect IP address with another IP address, allowing the compromised sites to once again be listed by search engines. Both the injection and the redirection occur locally, on the compromised computer, and not on the search engine itself.

“The cyber criminals responsible for Gumblar have learned to morph its features quickly,” said Landesman. “This, coupled with Gumblar’s other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we’ve seen.”

Gumblar is the latest wave of serious website compromises that have plagued Web surfers for the past two years. Overall, Web malware increased 300% throughout 2008, with another 19% increase in the first quarter of 2009.

Don't miss