Recently, a lot of high profile .EDU and .GOV were hijacked to redirect users to fake online stores. Google searches related to buying software ("buy windows 7 key", where to buy microsoft, "purchase microsoft word", "buy microsoft office", etc.) contain a long list of websites running on non-standard ports: www.kidsforkidsfestival.org:8080, en.jurispedia.org:4444, >www.notiuno.com:4577, etc. These links redirect users to online stores which claim to sell software at a discounted price.
 |
| Spam results for buying Windows |
Major websites hijacked
The list of hijacked sites include:
- Harvard (Alexa rank in US: 875, cxc.harvard.edu)
- MIT (Alexa rank in US: 963, petar.blog.lcs.mit.edu, fig.scripts.mit.edu, hlt.media.mit.edu)
- Stanford (rank 782, mentalhealth.stanford.edu, yuba.stanford.edu, assu.stanford.edu)
- Fandango (rank 236, www.summermovies.fandango.com)
There are also governmental sites in the list, from US, China and other countries:
- openworld.gov
- paceflorida.gov
- fpa.tas.gov.au
- ezhouinvest.gov.cn
- perak.gov.my
- misiones.gov.ar
- etc.
Fake stores
The fake stores use multiple domain names, and each site looks slightly different: softsupreme.com, softsupreme.net, buysupreme.net, software-supreme.com, softbuy-download.net, softbuy-download.com, sacon.org, topoemdownloads.net, etc. I've seen more than 75 different domains so far.
 |
| Fake store |
Multiple languages and other spams
Unlike the usual Blackhat spam SEO coming from the Google Hot Trends, this type of spam is targeted at multiple languages: English, French ("achat windows"), German ("Microsoft kaufen"), etc.
Hijacked sites on non-standard ports are also used for other types of spam: US student visa, Viagra, etc.
Once again spammers have managed to poison search results for popular searches. This specific spam was reported a month ago, but it still shows up in the first page of results for multiple searches.
-- Julien
