A recent set of spam emails was seen abusing yet another Google search feature:

The URL in the spam email above uses the search feature q=site: in order to direct the user clicking on the link to a Google results page returning the spam site:

What works in the spammers advantage is Google displays the first few lines of the web page, and that may be enough to entice some users to continue and click the link which leads to a site advertising penis enlargement.

It should be noted that spammers heavily used Google’s “I’m feeling lucky” feature late last year on their spam campaigns. However, it remains to be seen whether is new feature abuse will reach the same level of notoriety as “I’m feeling lucky.”

The spam emails are already blocked by the Smart Protection Network.

The World Health Organization (WHO) raised the H1N1 global pandemic alert level to phase 6 on June 11. More than 70 countries have now reported cases of human infection. Many of the cases reportedly had links to travel or were localized outbreaks. The WHO designation of a phase 6 pandemic alert reflects the fact that there are now ongoing community-level outbreaks in multiple parts of world. It should be noted, however, that the WHO’s decision to raise the pandemic alert level to phase 6 is a reflection of the spread of the virus and not of the severity of illness caused by the virus.

As with any other tragic and much-publicized event, cybercriminals again took advantage of the situation by launching a spate of attacks targeting wary, unknowing users.

Some of the most recent attacks include those we have already featured in the following blog posts:

• Yet More Swine Flu Attacks
• Waledac Turns to Cash and Vaccines
• Swine Flu Spam Attempt to Infect Japanese Users
• Swine Flu Outbreak Hits the Web Through Spam

Probably the most nefarious of these attacks were found to be hosted on is-the-boss.com domain. Through SEO poisoning, searches for reports related to the virus yield links that when opened trigger multiple redirections to various sites, which ultimately lead to the download of rogue antivirus software.

The following URLs were also found to start off similar infection chains:

• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-pandemic.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-who.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1.html
• hxxp://news04.{BLOCKED}is-the-boss.com/a-h1n1-virus.html

As of this writing, the is-the-boss(dot)com domain is still being used for blackhat SEO campaigns to deliver fake antivirus solutions such as:

• av-scanner.48275.exe detected as TROJ_DLOADR.API
• script.js detected as JS_DLOADR.APO
• a.exe detected as TROJ_DROPPER.NXA, a file downloaded by TROJ_DLOADR.API

The malware TROJ_DLOADR.API and JS_DLOADR.APO attempt to connect to the following URLs, respectively, to download other possibly malicious files:

• hxxp://thenewpic.{BLOCKED}com/item/2a2c{long string}c70a/e4f892d7456/titem.gif
• hxxp://theimagesphoto{BLOCKED}.com/werber/744842b7155/217.gif
• hxxp://super-antiviral-scan{BLOCKED}.com/?id=48275

Fortunately, Trend Micro’s Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected, respectively.