Wednesday, 6 November 2013
Tuesday, 5 November 2013
Tips for Improving your Adwords Conversion Rate
The success of online marketing can only be determined by the flow of customers and potential clients to your ad. Online marketing has been revolutionized in the advent of computing and information computer technology. The number of companies preferring to use online services in marketing has gradually increased and more companies prefer to place their ads on reputable websites as compared to billboards or television sets. Professional search engine optimization (SEO) involves a number of steps and considerations with a main aim of boosting the traffic to the ad just as a billboard placed next to a busy highway. Altogether the conversion of the traffic to income is also a major headache to the online marketers. How do you convert the huge traffic into tangible income, what is the convincing power of the ad? How many goods are you able to sell following the traffic or how many sign ups do you get per person? These are the day to day questions facing the online marketers in the world today. To improve your conversion rates the following guidelines are key.
Use of specific keywords
Suppose you want to place an ad for selling a phone, be specific in the commercial brand name. It is more likely that a potential client would be searching for a gadget in which he has more information about. Search engine optimization expert’s advice that the more precise you are the more visits you are likely to get. Generalization would only promote the traffic but at the end of the day the client would bypass and move to the more specified item. However do not be too specific that very few people know about the fine details. It is always advisable to balance.Monitor track your conversion rates
It is obvious that you get information about the number of clicks on daily basis. But how amazing would it be if you analyzed the rate of clicks to income conversion rates. By doing this you can determine which among the words u use generate mo conversion.Use of negative key words.
Attractive keywords in an ad would definitely promote the traffic to the ad. But it has a poor conversion rate. Less people are likely to purchase if they were attracted by words. For instance mot ads bearing the words such as win, free etc generate low conversion rates since it is not likely that a browser who was looking for some free staff would make purchases after realizing he has to spend.Include the prices in your ads to attract the customers
It is advisable to include the prices or a comparison of the prices with other competitors.Include the discounts or offer rates if any.Use the search word report to get the right clients.
The ad words may help to show how your key words are doing. You can use the terms searched by the surfers to know how to improve your ad. Review of the information would enable you to know what words to include or exclude from your ad. Or targeting the right potential clients.Be professional
Most browsers fear scammers. Use of professional tone gives the potential buyer the confidence to purchase from you. Avoid appearing to be too god to be real.Latest UPS spam runs include exploits
Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).
This afternoon I saw a tweet from one of my friends on Twitter:
@MalwareMustDie Phishing Campaign http://t.co/ecm0urGFpv#malwaremustdie
— Jim Kesselring (@RazorEQX) November 5, 2013
Not many moments later I had received the mail in my inbox. Here's what it looked like:
 |
| UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581 |
Mail seems to come from:
auto-notify@ups.com or
auto@ups.com
Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or
View@enviosuperfast.info
Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result
Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report
Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).
What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)
 |
| Submission to Malware Tracker revealed CVE-2012-0158 |
Let's perform some static analysis as well. Using our favorite tool Notepad++:
 |
| Clues in yellow indicating it's indeed an .rtf file (font used: Calibri) |
What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.
When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.
Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.
We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333
When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 |
| Word crashing & malicious process(es) spawning |
Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.
A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report
Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.
The malware creates persistence by:
- injecting into explorer.exe
- Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf
It also recreates itself in:
- %ApplicationData%
- %CommonApplicationData%
It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com
... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result
The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.
Payload
The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.
Prevention
- Upgrade to the latest version of Microsoft Word (and Office as a whole). If that's not possible;
- Install ALL your Windows Updates! These exploits are long patched by Microsoft.
- Improve security for your Office files. This means disabling ActiveX, disabling macros and blocking external content. Useful links:
Enable or disable ActiveX controls in Office documents
Enable or disable macros in Office documents
Block or unblock external content in Office documents - Block ALL the IP's mentioned above in my post.
- Install a proper antivirus & antimalware solution. In a company: you better have a spamfilter!
Disinfection
- Look for suspicious Run keys (examples here) and delete the associated file(s).
- Run a full scan with your installed antivirus product.
- Run a full scan with another antivirus and/or antimalware product.
- In a company: warn your network administrator immediately!
Conclusion
One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.
Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)
Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.
Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:
7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120
Subscribe to:
Posts (Atom)