Yahoo search for ".hta" triggers "Web attack: Social Engineering One Click Fraud(generic)" warning

When I use Yahoo to search for ".hta", NIS2012 pops up a box with "Web attack: Social Engineering One Click Fraud(generic)" with the attacking computer as mine, but doing the same search with Google does not.

 

Sounds like a bug. 

 

Any suggestions?

 

Thanks

Hi SendOfJive! 

 

Thanks for responding.

 

I actually does the same thing under IE8 or Chrome.  Maybe it is related to the way the Yahoo search formats the http query string...

Let's see if a malicious page in the search results is being prefetched.  In Chrome, click the wrench icon and select "Options."  In the "Under the hood" tab find "Use DNS pre-fetching to improve page load performance" in the Privacy section and un-check it.

 

Try your search again.  If you still get the alert, note the name of the website that is being blocked that shows in the alert notification.

Hmmm...

 

I am using version 21.0.1180.60 - there is no "under the hood"  or "options" - think that was in earlier versions.

 

Checking Help with F1 and searching for "prefetch" didn't help much.  

 

Under "chrome://flags"  I found

Built-in Asynchronous DNS Mac, Windows, Linux, Chrome OS
Enable experimental asynchronous DNS client.

but not sure what that does...

 

What version of Chrome are you using?   I thought Chrome always updated itself

 

NIS2012 shows the Attacker URL as search.yahoo,com  

 

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
2012-07-31 17:46:58,High,An intrusion attempt by CZAPALA1 was blocked.,Blocked,No Action Required,Web Attack: Social Engineering One Click Fraud (Generic) ,No Action Required,No Action Required,"CZAPALA1 (192.168.1.100, 8305)",search.yahoo.com/search;_ylt=Ar.RgoGcFpM4Vr34IBFOc5WbvZx4?p=.hta&toggle=1&cop=mss&ei=UTF-8&fr=yfp-t-701,"search.yahoo.com (74.6.238.254, 80)",192.168.1.100 (192.168.1.100),"TCP, Port 8305"
Network traffic from <b>search.yahoo.com/search;_ylt=Ar.RgoGcFpM4Vr34IBFOc5WbvZx4?p=.hta&toggle=1&cop=mss&ei=UTF-8&fr=yfp-t-701</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\RON CZAPALA\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\APPLICATION\CHROME.EXE.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

 

I don't use Chrome, but all versions I have ever seen have an "Under the hood" tab in the configuration options.  You clicked the little wrench icon at the top right?  There should be "options" or "preferences" of something in the dropdown list.

The current version of Chrome shows "Settings" under the wrench menu. Then it shows "Show advanced settings..." at the bottom of the chrome://chrome/settings/ page.  

 

I edited my previous post to show the details from the NIS Security History entry.

What happens on your PC if you search for ".hta" from Yahoo?

Hm.  I'm going to have to look at Chrome again.  My apologies, here is what you should try:

 

http://support.google.com/chrome/bin/answer.py?hl=en&answer=1385029

I tried that but NIS still blocks it.

 

 

Do you get the same result if you search for ".hta"  from Yahoo?

Yes I get the same block.  I'm not sure what is causing the issue.  One online URL scanner I used found some suspicious JavaScript, but several other scanners found nothing malicious.

Well, thanks for your persistence ;-)

 

I guess I'm not going to worry about.

 

It must be some quirky thing that is particular to Yahoo's search page.

 

I does the same thing under Firefox.

 

Thanks for your help!

When I use Yahoo to search for ".hta", NIS2012 pops up a box with "Web attack: Social Engineering One Click Fraud(generic)" with the attacking computer as mine, but doing the same search with Google does not.

 

Sounds like a bug. 

 

Any suggestions?

 

Thanks