Tag Archives: Microsoft

US Court Authorises Microsoft To Seize Control of Key Domains in COVID-19 Cyberattacks

A US court authorised Microsoft to take control of key domain names that were being used by cybercriminals preventing them for being used to execute cyberattacks Tuesday. These cybercriminals were taking advantage of the COVID-19 pandemic in an attempt to defraud customers in 62 countries around the world.

Continue reading US Court Authorises Microsoft To Seize Control of Key Domains in COVID-19 Cyberattacks

The screens that ate school: What do we really know about the growing presence of Google, Apple, Microsoft and more in the education system?

It wasn’t sent to us, at least not directly, but we decided to pretend it had been. “As we often ask our children to do their best,” the principal at a state primary school in Melbourne’s west had written in the second week of April, “we now ask that of our parents. But please do not let it become too overbearing or too difficult to the stage where it causes upset in the household – this does not assist anyone – child or parent.”

Continue reading The screens that ate school: What do we really know about the growing presence of Google, Apple, Microsoft and more in the education system?

Microsoft Gains Court Orders Taking Down Domain Names With Aim of Disrupting US Elections

Around the world, not just in the United States, there has been a lot of evidence of the Russian government’s involvement, directly or indirectly, in elections. This week, Microsoft announced their Digital Crimes Unit successfully executed a court order to disrupt and transfer control of 6 domain names created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28.

In a post by their own President, Brad Smith, on the Microsoft blog, Smith writes how Microsoft has “now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week’s order fit this description.”

Last week’s order transferred control of the 6 domain names listed below from Strontium to Microsoft, preventing Strontium from using them and enabling Microsoft to more closely look for evidence of what Strontium intended to do with the domains. The 6 domains are:

Microsoft note that these domain names show a broadening of entities targeted by Strontium’s activities. One appears to mimic the domain name of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including 6 Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices. Microsoft makes it clear that they currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do they have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.

Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.

Microsoft is concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections. So this week Microsoft announced they are expanding their Defending Democracy Program with a new initiative called Microsoft AccountGuard. This initiative will provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack. The technology is free of charge to candidates, campaigns and related political institutions using Office 365.

As a special master appointed by a federal judge concluded in the recent court order obtained by DCU, there is “good cause” to believe that Strontium is “likely to continue” its conduct. In the face of this continuing activity, we must work on the assumption that these attacks will broaden further. An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector.

Microsoft Implements URL Keyword Stuffing Spam Filtering For Bing

Microsoft have announced they implemented a specific spam filtering mechanism for their Bing search engine a few months ago that targets a common spam technique known as URL keyword stuffing (KWS.)The announcement by Igor Rondel, Principal Development Manager, Bing Index Quality, came in a posting on the Bing Blog and explains URL KWS as thus:What is URL KWS?Like any other black hat technique, the goal of URL KWS, at a high level, is to manipulate search engines to give the page a higher rank than it truly deserves. The underlying idea unique to URL KWS relies on two assumptions about ranking algorithms: a) keyword matching is used and b) matching against the URL is especially valuable. While this is somewhat simplistic considering search engines employ thousands of signals to determine page ranking, these signals do indeed play a role (albeit significantly less than even a few years ago.) Having identified these perceived ‘vulnerabilities’, the spammer attempts to take advantage by creating keyword rich domains names. And since spammers’ strategy includes maximizing impressions, they tend to go after high value/ frequency/ monetisable keywords (e.g. viagra, loan, payday, outlet, free, etc…)Those are the basic mechanics that comprise the overall URL KWS concept. Looking at it a little closer, spammers employ a variety of approaches to implement this technique, resulting in a number of distinct flavours. These are some of the more common variants (note: some of the URLs mentioned below are fictitious, used to demonstrate the point) –

  • Multiple hosts, with keyword-rich hostnames: http://account.free.online.savings.samedaypaydayloansusa.com
  • Host/ domain names with repeating keywords: http://loan.payday.paydayloanspaydayloansusa.com
  • URL cluster across same domain, but varied hostnames comprised of keyword permutations
  • http://contososhoeswomen.shoesonsale.com/
  • http://bestwomensrunningsneakers.shoesonsale.com/
  • http://discountrunningapparelforwomen.shoesonsale.com/

URL squattingThis is a little different as the spammer is playing on a human tendency to misspell keywords & in effect syphoning traffic off of existing (typically high profile/ traffic) sites
E.g. http://nytime.com(misspelling ofhttp://nytimes.com), http://ebey.com (misspelling of http://ebay.com)It’s important to note, however, that certainly not all URLs containing multiple keywords are URL KWS spams. In fact, majority are perfectly legitimate non-spam URLs (e.g. http://www.nytimes.com/2011/08/25/opinion/how-to-fix-our-math-education.html.) To ensure high detection precision, this detection technique is typically used in combination with other signals (more on this below.)Addressing this type of spam is important because a) it is a widely used technique (i.e. significant SERP presence) and b) URLs appear to be good matches to the query, enticing users to click on them.How do we detect it?As I mentioned in the previous blog, we will not be giving out specific details on detection algorithms because spammers are likely to use that knowledge to evolve their techniques. I can, however, tell you that we look at a number of signals that suggest possible use of URL keyword stuffing, such as:

  • Site size
  • Number of hosts
  • Number of words in host/ domain names and path
  • Host/ domain/ path keyword co-occurrence (inc. unigrams and bigrams)
  • % of the site cluster comprised of top frequency host/ domain name keywords
  • Host/ domain names containing certain lexicons/ pattern combinations (e.g. [“year”, “event | product name”], http://www.turbotaxonline2014.com)
  • Site/page content quality & popularity signals

To amplify this, we try to cluster sites (by various pivots such as domain, owner, etc…) and then look for patterns of the signals listed above in the same cluster. This helps improve detection precision because spammers often create dozens/ hundreds of similar looking sites.What has been the impact on the end user & the SEO community?Users: This update impacted ~3% of Bing queries (on average ~1 in 10 URLs was filtered out per impacted query.)
SEO community: ~5M sites, comprising > 130M urls, have been impacted, resulting in upwards of 75% reduction in traffic to these sites from Bing.

  • Example queries: {hotmail login}, {bestbuy on sale}, {cheap hdtv}
  • Examples of spam sites impacted:
  • www.cheapviagrausa.com
  • www.cheapviagrapharma.com
  • www.buyviagracheapviagraergr.com
  • www.gmailloginsigninup.com

The information in this blog posting original appeared on the Bing Blog at: