More compromised Irish Sites

Quick one before I head out of the office

An Irish domain, Ivote.ie is currently being used by criminal gangs as part of an SEO poisoning attack

Take the following two examples of popular search terms (I got these from Google Trends). Standard warning applies about visiting these sites (Here be Dragons):

SEARCH: steve phillips girlfriend picture:



RESULT:

http://www.gsarchives.net/index2.php?t=steve-phillips-girlfriend-picture

-> http://guardsyszone.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZ1bVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoGJdpqmikpVuaGdpZmxmbF%2FEkKE%3D

->-> http://www.ivote.ie/jjjr/Steve-Phillips-Girlfriend-Picture.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)



SEARCH: explosion in puerto rico:



RESULT:

http://www.gsarchives.net/index2.php?t=explosion-in-puerto-rico

-> http://guardzone-sys.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoFerpXOWk5hvZWRsZnFqXpzEag%3D%3D

->->http://www.ivote.ie/jjjr/Explosion-In-Puerto-Rico.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

Same result with “steve phillips wife photos” and many other search terms which are popular in Google today

It appears that the IVOTE.IE domain has been compromised (similar to the Zdesign.com domain in the last post). Normal deal - most likely one of IVOTE’s employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third gang which upload the malware onto the site.

I've contact the host providers of IVote to have the page cleaned up