As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections.

However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.

Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.

This is a good reminder of how spammers will do anything to make their spammed messages appear legitimate. It is thus important to check for data consistency so as not to fall into their trap. In this case, if the video truly contains photos of the aftermath, then there is no need to download or execute an .EXE file. Users are thus advised to exercise caution when opening messages, particularly those that come from unknown senders.

Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, preventing user access to malicious sites, and blocking the download of the malicious files.

Even before the first user could buy the latest and upcoming Apple technology, the iPad, cybercriminals are already making profits from it by taking advantage of its popularity.

Trend Micro threat engineers today found some malicious search results while looking for information related to the announcement of the Apple tablet.

These poisoned search results turned out to be related to the never-ending blackhat search engine optimization (SEO) FAKEAV campaigns. When clicked, the search results lead to the download of a rogue antivirus software, which Trend Micro detects as TROJ_FAKEAV.EAM.

Since Apple announced when the iPad will be made available to consumers, it has been one of the hottest topics circulating the Web today. And cybercriminals are not just about to let this slide. With the growing user anticipation for this new product, it is most likely that many users will be victimized by the latest FAKEAV attack. Users are thus advised to be wary of malicious links and to instead go to reputable news sites to get the latest information about the iPad.

Trend Micro is continuously working to protect users from this threat and to provide more information about this latest FAKEAV SEO attack.

Update as of January 27, 2010, 11:50 p.m. (GMT +8:00):

When executed, TROJ_FAKEAV.EAM displays a professional-looking graphical user interface (GUI) to supposedly install the software. Then it displays fake infection alerts. Should the user choose to clean his/her system to rid it of supposed infections, the Trojan will display the following page, which could lead to a phishing page should the user opt to buy the FAKEAV.

News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip.

So when rumors of Johnny Depp’s supposed death due to a car crash broke out, it did not take long before cybercriminals took advantage of the supposed reports to spread malware via their usual blackhat search engine optimization (SEO) tactics.

While most hoaxes come in the form of spammed messages, this particular scam involved the creation of several malicious sites where rigged search results led to, which led curious readers to system infections rather than to more information on Depp’s alleged death.

If taken at face value, the blog pages above may pass off as a reputable source. Once users click the embedded links, however, they will be redirected to a video entertainment site that claims to host footage of Depp’s accident.

Upon playing the supposed video, users will be prompted to download a codec in order to watch it, which is actually a malicious file detected by Trend Micro as TROJ_DLOADER.GRM.

When executed, TROJ_DLOADER.GRM connects to a remote site to download a malicious file. It then displays a professional-looking graphical user interface (GUI) promoting a bogus software called DriveCleaner 2006 before opening a window that shows the software—an executable file—installation’s progress.

If there is one thing all users should realize, it has to be that they should never underestimate the speed at which an Internet hoax spreads. Whether seasoned Web surfer or first timer, it does not matter, it is always advisable to keep your guard up.  Cybercriminals want profit.  So, the more successful an attack, the more money they make.

Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to malicious sites and detecting and preventing the download of harmful codecs and malicious files.