Posted by: Barracuda Labs
Yet another reputable site has fallen victim to compromise — University of Arkansas.
A forensic analysis of the attack revealed that the user requested the following:
setup.exe was linked off another malicious domain:
While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.
As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.
Customers using the Barracuda Purewire Web Security Service are protected from this attack.