Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Blackhat search engine optimization (SEO) campaigns use malicious techniques to promote websites so these come up as the top search results for certain keywords. Blackhat SEO campaigns use compromised FTP credentials to upload keyword-laden Web pages to legitimate sites, boost their placement in search engines, and redirect traffic to the malicious pages, usually FAKEAV landing pages.

    This post analyzes an ongoing blackhat SEO campaign from a well-known blackhat SEO operator that has been abusing Google’s Image Search to redirect Mac OS users to FAKEAV that have been specifically designed for Macs and Windows OS users to either FAKEAV landing pages or sites that host the Black Hole Exploit pack.

    In just one month, this campaign was able to redirect nearly 300 million hits from 113 million visitors to the malicious landing pages. In addition to generating pages full of bad links and keywords to boost search engine results ranking, the operator also embedded images taken from legitimate sites so its pages can get a high Google Image Search index.

    TDS Campaign Leads to FAKEAV and the Black Hole Exploit Pack

    To date, we were able to identify 4,586 compromised servers that have connected to the blackhat SEO command server to retrieve updated redirection scripts. These compromised servers receive two types of malicious URLs used to redirect visitors. The first type of landing page is the traditional FAKEAV scanning page. This particular campaign uses 116 domain names. The second type of landing page is a Traffic Direction System (TDS) page, which uses 176 domain names.

    TDS pages are used as landing pages to direct traffic to malicious content based on a variety of criteria such as OS, browser version, and geographic location. This particular campaign uses the well-known SUTRA TDS to redirect users to FAKEAV landing pages or to pages that host the Black Hole Exploit pack.

    Data shows that this TDS redirected 68,386,286 hits from 26,715,046 visitors in just the first 10 days of May 2011. In the past 30 days, it redirected 220,175,652 hits from 82,568,468 visitors. In total, the TDS recorded 296,413,984 hits from 113,454,246 visitors.

    Largest Unique Traffic Came from the United States (Windows OS)

    The SUTRA TDS also keeps track of the geographical location of each visitor based on his/her IP address. The geographical data presented below is based on 194,633,322 hits from 73,540,527 visitors. The United States accounts for 24.4 percent of the total traffic (27.5 percent of the unique traffic), followed by India and Mexico.

    Here are the top 10 countries with the largest unique traffic:

    United States 47,658,451 20,265,695
    India 15,278,539 5,248,183
    Mexico 11,879,386 4,044,705
    Germany 10,369,960 3,605,304
    United Kingdom 9,875,501 4,347,752
    Poland 7,183,688 2,353,014
    Brazil 6,964,642 2,837,302
    Indonesia 6,800,576 1,843,221
    Canada 6,782,392 2,969,651
    Australia 6,347,107 2,588,137

    The SUTRA TDS also records the visitors’ user-agent or Web browser version, which also reveals what OS they use. Of the 188,128,986 raw number of hits, Windows OS accounted for 92.5 percent (174,180,938) while Mac OS accounted for 7.3 percent (13,892,964 hits). Interestingly, 55,084 hits came from PlayStation consoles and 12,376 came from iPads.

    Although several malicious operators already monetize the Mac traffic by redirecting users to ads, we now see FAKEAV variants specifically target Macs apart from the usual Windows-based systems.

    In the said FAKEAV campaign, the landing page was specially crafted to imitate the look and feel of the Mac OS. Its content prompted users to install the rogue antivirus software detected by Trend Micro as OSX_FAKEAV.A. Once installed, it supposedly scans the affected users’ systems and warns them of bogus infections. Then it convinces them to buy the fake software’s full version to clean their systems.

    This campaign again demonstrates how effective blackhat SEO techniques are in driving traffic to malicious websites. In just over a month, blackhat SEO operators have redirected nearly 300 million hits to malicious Web pages such as FAKEAV landing pages, one of which was specifically designed for Mac OS users, and pages hosting the Black Hole Exploit pack. Despite low conversion rates in terms of exploitation and FAKEAV downloads or purchases, this operation is still likely generating a considerable amount of money for its operators.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • MS

      I've been hit by a really bad virus that I got through google images. However, this one is extremely aggressive. The external change is that it created a new locked System Volume Information folder which constantly generates $RECYCLE.BIN and desktop.ini files everywhere. Eventually it affects MS updates and infect these files. When it gets really bad it starts to hide system folders and the recycle bin and eventually leads to windows being unable to recognize the Windows as a legit copy and a system crash. It infects system files and creates its own mirror of some of the system files, which remain active even on safe boot. I've had an impossible time removing it. None of the virus software can even detect it (Norton, MacAfee, Kaspersky, Combofix, TrendLabs). Since MS stopped providing original disks on laptop purchases this virus is impossible to remove as it remains dormant even after a system reinstall. It has to be done through a complete external system reinstall with CDs – not through the internal reboot available on new computers today. I don't know how to get rid of it on external drives and partitions.

    • Pingback: More Malware for Mac | Simply Security()

    • Pingback: Trend Micro Asia Pacific News Library - More Malware for Mac()

    • Emma

      A lot more people use Google Images for searches than you might think. I often wondered why so many images searches came up for things that you might assume people would text search for. Then someone told me that they were dyslexic and found images easier than text when they were looking for things.

      Maybe images is an easier area for Blackhat seo to work in than in text serps.

    • Pingback: Blackhat SEO Attack Uses Google’s Image Search to Reach 300 Million Hits | Simply Security()

    • Zizounnette

      Some Wp plugins exists and allow webmaster to run md5sum on their php sources (especially plugin).
      Those plugin parse code search for "eval" or any strange code :)

      Maybe some ppl should set this up :)

    • Pingback: Millions duped in poisoned Google Image attack | Search Engine Optimisation & Web Design Leeds | CubicWeb()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice