Security Alert: "Blog-jacking"

Major news portal linking to external site

What is “Blog-jacking”? Have you ever been browsing through the day's stories on a news portal website such as Yahoo and found yourself clicking on a link at the bottom of an article that said something like 'See the full list of the 100 worst fashion fiascos of 2013' or something of that nature? Maybe it's a link to the '20 most beautiful beaches', or even '20 simple things you can do to keep your computer safe'. Regardless of what the link is about, they typically have one thing in common... they usually link to a third party blog.

In this case, a third party blog refers to an independent blog that is not hosted on the major news portal's servers. Often times, the major news portals will publish excerpts from these blogs, such as the top 10 out of a list of the 50 best or worst foods, locations, dressed, finance practices, computer habits, name it, if it exists, some blogger somewhere has probably generated a list of the best or worst. If they are even moderately well written, some news portal has probably excerpted one of their lists, and in tribute, they usually link to the complete list at the bottom of the article.

Now don't get me wrong, some of these lists are quite good. We have found many a tip or trick that speeds up a computer's performance browsing the tech blogs, and I'm not to proud to admit that I've checked out every listing of the 10 best burgers I have come across! Typically these blog sites are pretty safe, and I am certain any of the major news portals scan the sites for viruses and malicious scripts before linking to them.

The problem is, scammers, hackers, and people generally attempting to profit of the misery of others, spend a great deal of time browsing these news portals both to find trending high profile topics to incorporate into their scams and to see what independent blogs are being linked to in the daily articles. They know that the security on those 3rd party, independent blogs and websites is often much less secure than the major news portals, and most lack the resources to continuously monitor their web servers for intrusion.

Once one of these scammers find a site with security vulnerabilities, they typically insert a small script into the header or body of the site that runs in the background and generates pop-ups, redirects, or install a Trojan downloader to your PC. Home PC Patrol refers to this malicious process as “Blog-jacking”. The safest thing you can do is move your mouse over any link and check if it links to a site outside the news portal you are viewing. In most internet browsers, when you mouse-over a link, it displays the address associated with a link in the bottom left corner of the browser window. In this article's image, you can see that the link from the Yahoo article actually goes to an article on a 3rd party site

IMPORTANT!: For the most part these blogs are safe, and in fact Home PC Patrol checked the link to displayed in the image above, and found it to be safe at that time we checked. It's likely Yahoo checked it as well before publishing it in their article. Unfortunately, even if it was safe when we checked it, or even 5 minutes ago; it might not be safe now. Hackers can infect an improperly secured site in a matter of moments or even a secured site given enough time. When hackers know a site is going to get a massive influx of traffic because of a link from a major news source, it often becomes a strong incentive for them to take the time to cut through even a properly secured site's defenses.

So what should you do if you click on one of these links and find yourself with pop-ups all over your screen or hijacked onto a page you didn’t intend to go to? The most important thing is not to click anywhere on the popup or hijacked page. These popups and pages usually have some sort of scareware message such as ‘Your computer is infected with viruses’ or ‘criminal activity has been detected at your IP address…’ or may even start running a fake virus scan, and usually contain large “Cancel” or “Close” buttons. These buttons are fake and are intended to trick users savvy enough to recognize the hijack as fake, but who may be unaware that the close and cancel buttons are as well. Clicking any element on these hijacked pages or popups usually initiated the download of a Trojan virus onto your computer.
So if you shouldn’t click on anything, what can you do? Here is one of the most useful tricks you can use when surfing the web: Anytime you get a bunch of popups, or end up on a page you didn’t intend to go to, or even when you wind up on a page with no navigation buttons, all you have to do is press and hold either “Alt” key on keyboard (located to the immediate right and left of the space bar) and hit the “F4” key on the top row of keys on your keyboard. Alt + F4 will automatically close the currently active window on your computer.

If you have a lot of popup windows on your screen, hitting Alt + F4 will close them. After each popup window closes, hit Alt + F4 again and it will close the next one… rinse and repeat until all of your web browser windows and popups are closed. Of course that doesn’t always work, and if the script initiates a Trojan downloader, there isn’t much you can do to stop it; but your best chance is using Alt + F4 to quickly close the windows is your best chance. In addition, you will want to have popup blocking turned on in your web browser as your first line of defense.

Personally, I find the best way to prevent this from happening is to copy the address (by right clicking on the link and choosing “Copy link address” in Google Chrome, or “Copy shortcut” in Internet Explorer) of the blog being linked to and paste it into a text document (along with the date it was published). Then, wait a week or so before you go visit it. Typically, the hackers are only interested in a site while it is getting increased traffic from a major news portal. If you wait at least a week, the site owners should have cleaned off any malicious scripts that hackers may have added, and by now the hackers have moved on to a new link.