Search Engine Poisoning - archive

[AplusWebMaster]

FYI...

Labor Day - SEO Poisoning leads to Rogue Antivirus
- http://securitylabs.websense.com/con...erts/3471.aspx
09.04.2009 - "Websense... has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country. When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SEO poisoning - Ann Minch's YouTube video
- http://securitylabs.websense.com/con...erts/3482.aspx
09.24.2009 - " Websense... has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times. When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection*..."
* http://www.virustotal.com/analisis/6...89f-1253761961
File 549170E10037D51580D70240C1E1C6001E217750.exe received on 2009.09.24 03:12:41 (UTC)
Result: 1/41 (2.44%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

iPhone Blackhat SEO Poisoning Leads to Total Security Rogue Antivirus
- http://securitylabs.websense.com/con...logs/3483.aspx
09.28.2009 - "Websense... has detected that Google searches on terms related to iPhone SMS information are returning results that lead to rogue antivirus software. The Apple iPhone is one of the most popular smart phones on the market, and it's quite typical for users to google for information relating to SMS and other features of the iPhone. When Google is used to search for terms related to iPhone SMS information, malicious URLs are returned as high as the sixth result. When a user clicks an affected search-result link, they are redirected to a Web site advising that their machine is infected with malicious threats. It then proceeds to offer rogue or fake AV software... If a user clicks on a link controlled by attackers in this scheme, they are redirected through a series of sites via 302 redirects. The final landing page attempts a scareware technique of warning the user that they have been infected with malware and must clean their system. The user is then prompted to download fake antivirus software... The use of Blackhat SEO leading to Rogue AV will only increase in the upcoming year. This scare tactic has proved to be a very successful method of social-engineering users into installing software onto their computers and tricking them into paying for it..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SEO Poisoning - MS Security Essentials ...
- http://securitylabs.websense.com/con...erts/3485.aspx
09.30.2009 - " Websense... has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV. Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association. When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31. An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc). If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site to check internet connectivity. Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted). Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

SEO Poisoning - Google Wave
- http://securitylabs.websense.com/con...erts/3486.aspx
09.30.2009 - " Websense... has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today. There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results...
Malware sample 1:
http://www.virustotal.com/analisis/4...5fe-1254334125
File Soft_88s2.exe received on 2009.09.30 18:08:45 (UTC)
Result: 6/41 (14.63%)
Malware sample 2:
http://www.virustotal.com/analisis/4...5fe-1254330166
File Soft_207.exe received on 2009.09.30 17:02:46 (UTC)
Result: 7/41 (17.07%)
Malware sample 3:
http://www.virustotal.com/analisis/a...76d-1254330677
File setup_build7_201.exe received on 2009.09.30 17:11:17 (UTC)
Result: 4/41 (9.76%)
Malware sample 4:
http://www.virustotal.com/analisis/8...b34-1254331243
File setup.exe received on 2009.09.30 17:20:43 (UTC)
Result: 9/41 (21.95%) ..."

(Screenshots showing Google Wave-related Google search results and Rogue AV at the Websense URL above.)

[AplusWebMaster]

FYI...

SEO poisoning - Samoa Earthquake News leads to Rogue AV
- http://www.f-secure.com/weblog/archives/00001779.html
September 30, 2009 - "It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii. Readers looking for news articles on the earthquake may come across this page in the Google search results... On clicking the link, the user is redirected to a series of sites via 302 redirects... The final landing page warns the user that their "system is infected"... The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software. As usual, be careful when browsing.,,"

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Halloween rogue AV
- http://www.eset.com/threat-center/bl...-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmicro.com/this-hall...online-tricks/
Oct. 30, 2009

[AplusWebMaster]

FYI...

More FAKE AV - SEO poisoning
- http://blog.trendmicro.com/meteor-sh...ead-to-fakeav/
Nov. 18, 2009 - "TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET... FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Redirects to scareware - Thousands of web sites compromised
- http://blogs.zdnet.com/security/?p=4947
November 17, 2009 - "Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe)*, commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js** (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu... the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet..."
* http://www.virustotal.com/analisis/8...87e-1258481993
File nnovv_Inst_312s2.exe received on 2009.11.17 18:19:53 (UTC)
Result: 1/41 (2.44%)
** http://www.virustotal.com/analisis/7...3be-1258479383
File css.js received on 2009.11.17 17:36:23 (UTC)
Result: 7/41 (17.07%)

- http://blog.trendmicro.com/fake-blogs-lead-to-fakeav/
Nov. 19, 2009

- http://blogs.zdnet.com/security/?p=4297&page=2
"... the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered as a fear mongering tactic..."

[AplusWebMaster]

FYI...

Brittany Murphy's death - SEO Poisoning
- http://securitylabs.websense.com/con...erts/3514.aspx
12.21.2009 - "Websense... has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe*, and at the moment it seems they haven't attracted much attention from AV companies..."
* http://www.virustotal.com/analisis/3...aee-1261366024
File install.exe received on 2009.12.21 03:27:04 (UTC)
Result: 10/41 (24.39%)

(Screenshots available at the Websense URL above.)

- http://www.f-secure.com/weblog/archives/00001842.html
December 21, 2009