Any legitimate website owners worst nightmare is to have their website hacked or used as a platform for serving malware (spyware, trojans, keyloggers, packet sniffers, etc). Luckily not only do hacking methods evolve but so does protection and safe guys such as StopBadge and Google’s website warning integration into the result set (actual message displayed under the result is “This site may harm your computer”). But every so often hackers get a little more unique in there tactics.
Today when visting the XXCOPY website (XXCOPY is a utility similar to XCOPY originally by Microsoft that extends the functionality with over 200 functions!) I ran into one of these issues. If you go directly to XXCOPY’s website www.xxcopy.com there is no issue, however if you Google the phrase XXCOPY and then click on the result you may, or may not get one of the “Reported Attack Site!” message in Firefox (Firefox has the best anti Malware detection scripts).
After discovering this issue I called one of the reps at XXCOPY who proceeded to tell me that the issue was purely on my computer (talk about a slap in the face to a hardcore techie), and that he couldn’t replicate the issue so it must not exist. Digging further into the issue I soon realized that I was being redirected intermittently over to kb971657 (dot )info (most likely originally setup so people Google this particular Microsoft Knowledge Base article would land on their website), but not every time. In fact it took me 10 tries at one point to replicate the issue (clicking on the XXCopy SERP result, then clicking back and clicking it again).
By adding this seeming randomness to the malware redirection, as well as detection of referring page (Google in my case) it made it harder for the company to detect as going directly to XXCopy.com worked every time. My assumption would be that this Malware is using some sort of form of detection and cloaking. Unlike blackhat cloaking it is hiding content from the search engine, and only showing it when it meets certain conditions (ie the visitors comes from Google or some other website, and then it does some sort of random number check that meets a secondary condition). Hopefully XXCopy gets this issue sorted out.