Until recently, Google was used by hackers mainly as an excellent source of easy potential hacking targets. With over 8 billion pages indexed and only a small percentage of users knowledgeable about internet security, it was easy to find the websites that could be hacked virtually on a fly. Rather advanced system of Google search operators facilitated this task even further.

Another way to quickly identify the topics of interest and of increased popularity is of course by Keeping eye on Google trends (yet another invaluable tool for both hackers and SEO specialists).

While hackers were playing their games, Black Hat SEO guys were playing theirs, dominating many lucrative SERPs and cashing in on a free targeted traffic.

But to the best of my knowledge, they were not combining their forces, at least at large scale.

Well, now they do.

SEO specialists from Poland identified one of the factors which are currently heavily used by Google to define relevancy of the search results. I’m talking about the velocity. In lame terms velocity is nothing more than the “freshness” of the particular post and links. The more recent the post is, the bigger its weight. Sure, there are many other factors that are taken into consideration as well – such as the number of incoming links, domain age, etc. I’m talking about velocity here, because that’s what allowed seo pros to exploit Google algorithm and, along with artificially generated incoming links, get millions of pages ranked for the keywords of their choice.

This is impressive on its own, though disturbing. What’s even more disturbing, they combine their efforts with hackers, and all those pages were filled with specific type of malware.

Panda Security Labs identified a list of keywords that were compromised. To be more precise, the top SERPs for those keywords displayed absolutely irrelevant results linked to some domains in Warsawa:

http://www.webpronews.com/topnews/2009/04/14/seo-blackhatters-target-ford-via-google

On second thought, it doesn’t mean that hackers and SEO pros are from Poland. It only means that they control the server in Poland, and the domain from Poland.

The old school for hacking websites pretty much concentrates on finding [tag]security vulnerabilities[/tag] either in a code of the website (i.e dynamic urls are not properly validated, or functions/ procedures used in web application contain a possibility for buffer overflow, or form’s data entries allow to execute SQL injections, etc).

There are 3 main purposes for such attacks:

1) steal products/ services offered on a website,

2) steal information stored in the databases (both personal information and credit card details)

3) proceed further and use initial vulnerability to gain additional privileges on a server and ultimately, to obtain root access to the server.

Let’s talk today about second purpose of website hacking – obtaining both physical mailing
address, and credit card records that could be used for Identity Theft or simply re-sold on
the Internet.

When hacker tests different methods to get unauthorized access to the website or web application, he most likely use slave computers for this purpose (also called slave bots) or proxy servers or the combination of two.

Granted, it might be difficult for investigators to establish the real source of attack, such as ip that was used for the attack execution, but still it could be potentially risky for hackers.

So the easiest way to get their foot in the door of the target system would be for hackers to obtain the login details of a legitimate user, and use those details to perform their further operations.

And it looks like this approach, combined with advanced fishing scams, became very popular lately. In addition to malware, spyware, viruses and worms we now have rather new phenomenon called ransomware.

Ransomware is what the name implies it is – a type of malware that could be used to take hostages and demand a ransom for a victim.

Only in this case “a hostage” is not a person, it’s a computer. Ransomware encrypts all the files on a victim’s machine, so average computer user is not able to decrypt them, and have to pay a ransom to get access to his/her own files again.

Of course if a person performs regular backups of his machine, this scheme won’t work.

Computer user would be able to easily restore all the files from a backup. But this scheme is very successful, so it’s just gives to show you that only a few people regularly backup computer files.

This exact scheme was used in a Monster.com ransom scam that became well-known lately.

Intruders first obtained access to the employer accounts on Monster. How they did it, is not important now – may be they tricked the account holders to open emails with malicious
attachments and installed Trojans on their computers, and then sniffed all the information

that was exchanged between that machine and the other ones. May be they sniffed out the
packets (note that Monster uses http for login screens, not https, hence login data are
past as a plain text) or they might use any other of the numerous hacking methods. The point is, they obtained unauthorized access to the employers’ accounts.

And people who contacted those employers were looking for the job, so they readily provided all their contact details to those employers including phone numbers, mailing addresses, etc.

After collecting approximately 1.6 million records of job applicants, attackers crafted very well written personalized emails to those applicants and tricked victims to open those emails. When email was open, a Trojan was installed on the victim’s machine. Financial information was stolen or files were encrypted and ransom demanded to “free up” the files.

And there is an evidence that similar scheme is now used at another website for job seekers – CareerBuilder.com.

What is the point of this story? It looks like pure hacking has been slowly replaced by the wholesale approach that doesn’t require too much skills – it’s enough to find the way to get millions of records, trick the recipients, install malware or ransomware, steal credit cards or bank accounts data or just encrypt the files on the victims computer– and voila – attackers got some serious cash in their bank accounts.

Be aware of this new wave of data stealing – I would call it “web hacking without hacking”,
and be extremely careful while opening emails from “employer” or any email from un-known
recipient, for that matter.