Blue Coat Labs

Labs Blog

Did We See Any Olympics-themed SEP Attacks?

Did We See Any Olympics-themed SEP Attacks?

Chris Larsen

Earlier this year, we published a seven-part series on Search Engine Poisoning. In Part 7, we scrutinized the commonly held idea that the Bad Guys focus their SEP attacks on "Big Events" -- events that make the news in a big way, that everyone is talking about, and searching the Web to find out more about. And we showed that this idea is false.

The mainstream media, as it turned out, was largely unfamiliar with the concept that search engines were constantly being abused in malware attacks, and that led to a number of interviews. In discussing the research findings, a question that often came up was, "What about the Olympics?"


Well, the Olympics are a unique event. Unlike most "Big Events", the Olympics are a Big Event made up of thousands of smaller events. Think about it: basically every country in the world is participating, the number of athletes involved is over 10,000, and most people pay more attention to what the athletes from their country are up to than they do to the overall event. While America pays a lot of attention to Michael Phelps' quest for ever more gold medals, Iran is much more interested in its wrestlers and weightlifters, and China loves its divers. (The average American could probably not even name a single member of their diving, wrestling, or weightlifting teams, unless one the athletes comes from their town or city.)

So, when I was asked "What about the Olympics?" I responded that perhaps the Bad Guys would be able to successfully conduct more SEP attacks themed on stories and athletes from the Olympics than they could for other Big Events. Which leads us to this blog post. How did things turn out?



I went to our "SEP Attack Logs", where Tim's software records the search terms used for all of the SEP attacks that we see feeding into the big malnets that run the largest SEP operations. The Olympics officially began with the Opening Ceremony on July 27th; the Closing Ceremony was on August 12th. I collected data from July 1st through August 8th. (We had a logging glitch that affected the data for August 9th - 12th, so I dropped those days.)

I divided the data into "Pre-Olympics" and "Olympics" periods. The logs showed a total of 14,580 "successful" SEP attacks in the Pre-Olympics period, and 13,697 "successful" SEP attacks in the Olympics period. (For those who don't go back and re-read the seven-part series, a "successful" SEP attack is one where one of our users searched for something, got a poisoned result high enough in the search results that they noticed it, believed it to be legitimate, and they actually clicked on it, which launched them into the malnet. The attack ceased to be successful at that point, because WebPulse blocked it. So just to be clear, we're looking at over 28,000 blocked SEP attacks here.)


I began by searching for some of the more famous athletes:

- Zero log hits for "phelps", "gabby", "lolo", "lochte", "missy" (also for "franklin"), whom I thought at least our American users might be searching for.

- Zero log hits for "oscar" and "pistorius" (who had to be one of the biggest stories of this Olympics; since he's also known as the Blade Runner, I tried both "blade" and "runner", but got zero hits). Likewise, zero log hits for "kirani" or "grenada", and Kirani James winning the first ever Olympics gold medal for Grenada was a pretty important story, at least to people there...

- One hit for "lebron" (arguably the biggest star on the U.S. Olympics basketball team (but it was about his fiancee, not the Olympics). Also one hit for "jordyn" (but not Olympics-related)...

- Finally: 2 hits for "usain" (e.g., "usain bolt wins 100m title goalshighlights") -- although searching for just "bolt" yielded 11 search terms having nothing to do with Usain Bolt the Olympian.


Next, I tried searching more generally, for events and Olympics-related terms:

- Zero log hits for "fencing", "rowing", "vault", or "medal".

- 40+ log hits for "gold" (but none of them Olympics-related). 20+ hits for "cheat" (but no Olympics ones).14 hits for "wrestl" (but zero Olympics-related ones). 2 hits for "equestrian" (but not from the Olympics). 8 hits for "badminton" (but no Olympics ones). 3 for "diving" (but no Olympics ones). 16 hits for "china" (but no Olympics ones).

- 3 hits for "boxing" (and finally, 1 of them was Olympics-related: "Mark Barriga Zou Shiming score boxing qualifier Uzbekistan")

- 27 hits for "weight" (and I will be generous and count 1 of them as Olympics-related, since it was a search for "nadia weight gain", and the only Nadia I know of is the famous gymnast).

- 3 hits for "nbc" (who did the Olympics broadcasts -- just 1 of them was Olympics-related).

- 11 hits for "swimming" (1 of them was Olympics-related, but since it had the word "olympics" in it it was counted in that group, later in the post).

- 4 hits for "judo" (and again, just 1 of them was Olympics-related: "judo competitors for 28 July").

- 15 hits for "athlon" (to cover heptathlon, pentathlon, decathlon, and triathlon; all of the 15 hits were for "triathlon" but none of them were about the Olympics).


Well, that's not much to show so far, just 6 log hits out of all that searching. What if we give up on these specific terms, and just try "olympic" and "london"?

- 42 hits for "olympic", and I will be generous and count all of them, even the ones like "beer olympics team names".

- 13 hits for "london", but here we must separate out the obviously non-Olympics ones about clothes and weddings in London. That leaves only 4 Olympics-related hits.


So I found a total of 52 Olympics-related hits in the search terms in our SEP attack logs. The last step is to divide them into the Pre-Olympics (21) and Olympics (31) phases, and then whip out the calculator:

     21 / 14580 = 0.001440329

(So a little over a tenth of a percent of all the SEP attacks in the 26 days leading up to the Olympics involved search terms connected to the Olympics.)


     31 / 13697 = 0.002263269

(And a little over two tenths of a percent of the SEP attacks during the 13 days I checked of the Olympics involved Olympics-related search terms.)



While there was doubtless a lot of searching for Olympics-related content during July and August, the vast majority of those searches ended with clicks to legitimate news and blog sites. Once again, the SEP gangs were unable to score even a bronze medal in their competition against all of those legitimate sites that scored consistently higher with the judges (Google, Bing, and Yahoo).

I should note that I saw a number of articles in both the security and mainstream media dealing with Olympics-related malware and scams, but all of those articles named e-mail spam and social networking (Facebook and Twitter) as the attack vectors, which is also consistent with our findings.