Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake Link removal requests

Published: 2013-03-29
Last Updated: 2013-03-30 00:05:47 UTC
by Chris Mohan (Version: 1)
1 comment(s)

 

Over the last month we’ve had three requests to remove a particular link belonging to a specific security vendor. We’re a nice enough bunch and if there’s a good, honest reason to remove a link, we’ll consider it. What make this interesting is that the requests weren’t from the company or any of its staff and finally, the reason why the removal was requested.  We did contacted the target company and let them know this was happening but as the third request has only just come in, it’s worth bring to your attention. 
 
The emails looked like a reasonable, if somewhat odd, request as normally the more links back to your company’s site, the better your ranking (a super simple explanation of search engines’ ranking I know - but just go with it). As most web masters are super sensitive to Google rule changes, they may have automatically complied, thinking this was something new. 
 
I’ve changed the well-known security firm’s name, removed the single link they referenced on the ISC site and here’s the first request sent Fri 8/03/2013 

Subject: Link Removal Request
 
Hello
 
I am the webmaster for www.targetedsecurityproduct.com
In light of Google's newest algorithm change, I need to request that you remove every link to www.targetedsecurityproduct.com from your website.
 
Below is our link location:. http://ISC.Removed
 
I would greatly appreciate your immediate cooperation.
 
If it is not too much of a hassle, I would appreciate you letting me know once it has been removed. Thank you in advance for your cooperation.
 
Thank You
 
Leslie keemen

 
The email sender, allegedly leslie.keemen at gmail.com, is a red flag straight way as it’s not a company address, plus the email was sent from and home broadband ISP in New Delhi, India. Not the country this company is based in or has office in either. Being good sports we responded with a polite “Please confirm this request from a company email address and we’ll thin about it” and surprise, surprise no response, while talking to the targeted company to let them know about this email. Ten days later, Mon 18/03/2013, we received an identical request again from the same email and home broadband ISP in New Delhi, India. This one we ignored.
 
The third one on Friday, 29 March 2013 changed tactics slightly; it was sign by "Matt" and the email sender address was spoofed as links@targetedsecurityproduct.com. Happily for us it was still from the same home broadband ISP in New Delhi, India.
 
I’m making an assumption this is an attempt at removing this company from search engine ranking as part of some search engine optimisation (SEO) campaign. Whether the company employing the SEO “firm” using Indian resources to make this unethical approach has approved these dubious methods or not, it worthwhile keeping an eye out your company’s web ranking (if they are important to the business) for attacks like these. And, if this happening to me, I would classify this as a form of attack and start up incident response case.
 
Has anyone else seen these shady tactics been used against them or have an insight in to what the actual end goal of these types of fake requests are? 
 

Either write in to https://isc.sans.edu/contact.html#contact-form or reply below, I'd love to hear your thoughts on this.

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: email spoofing
1 comment(s)
Diary Archives