Using search engines and watching videos are two of the top Internet activities that users do on a daily basis. In the threat landscape, this usually translates to threats such as blackhat SEO attacks, malicious pages crafted to look like YouTube pages, and, as we recently found out, attacks that use both blackhat SEO and malicious YouTube-like pages.
In the recent attack that we saw, query results for strings such as videos of reality TV celebrity Teresa Guidice, British actress Holly Davidson, and the BP oil spill were found to initially lead to YouTube-like pages before displaying the all-too-familiar fake malware infection warnings.
The results are most likely to be compromised sites, all injected with search keywords that will lure users into visiting them.
Another change that we’ve seen is yet another combination of blackhat SEO and a well-known malware technique. Search results for the string “Mel Gibson tapes” were found redirecting not to pages with fake malware infection warnings, but to a prompt to download an Adobe Flash Player installer:
The said page may trick the user into thinking that the link that they’ve clicked leads to a video, and that they need to install Adobe Flash Player to view it. According to Threat Response Engineer Marco Dela Vega, who also analyzed this threat, the cybercriminals behind this attack have a keen eye for detail; not only did they use a convincing interface for the fake Adobe installer, they also used a URL that strongly suggests that it is an Adobe-related site.
This is a very notable change, since blackhat SEO attacks have been known to bring about FAKEAV variants specifically.
These changes are just a few that we’ve seen. Blackhat SEO attacks no longer just ride on the popularity of big news, as it did before. SEO poisoning attacks are being deployed every day, tainting searches and bringing forth malware.
For the above-mentioned attacks, the related malware are detected as TROJ_FAKEAV.MVA and WORM_UTOTI.Y respectively.
Our researchers and engineers have been continuously investigating these attacks and released several reports on their findings:
With the continuing rampancy of blackhat SEO attacks, users are advised to be extremely cautious when conducting searches.
Trend MicroTM Smart Protection NetworkTM provides multilayered protection for users when it comes to blackhat SEO attacks, as malicious links and files are blocked and detected by the Web and file reputation services, respectively.
Update as of July 15, 2010, 10:09 a.m. (UTC)
WORM_UTOTI.Y has been renamed to TROJ_MONDER.RON.
Update as of July 16, 2010, 11:01 a.m by Ryan Flores, Advanced Threats Researcher
From what it looks like, the fake YouTube page redirecting to a FAKEAV page is just a transition period for cybercriminals, from pushing FAKEAV to pushing Trojan downloaders.
This time, however, though the cybercriminals used a similar ploy described by Norman above, users were not redirected several times but instead asked to download a codec to watch a supposed video:
The series of redirections ends in a fake online video sharing website (not necessarily a YouTube lookalike), which then attempts to trick the user into downloading and executing a video player (detected by Trend Micro as TROJ_MONDER.AEM).