Cybercriminals employ different but complementary techniques when it comes to propagating FAKEAV. Ultimately, however, their goal is to entice users to click malicious links that led to the download of different FAKEAV variants.
TrendLabsSM observed that cybercriminals typically employed blackhat engine optimizaton (SEO) to create poisoned pages that serve as doorways for FAKEAV distribution. These doorway pages, which primarily redirect unknowing users, are cross-linked with other doorway pages and well-known legitimate sites. This technique allows malicious pages to appear as top search results.
To further entice users to click malicious links, these doorway pages also contain content copied from various other websites. Cybercriminals also leverage trending topics, which can easily be found in Google Trends or through Twitter’s search page. These doorway pages often use the following format in search results:
Doorway pages are frequently contained in individual websites or in compromised Web hosting providers’ sites. Clicking malicious links redirected users several times until they reach a fake scanning page. These redirections help hide the actual URLs of the final landing pages and of the pages hosting the fake scanning results.
More than simple redirections, however, cybercriminals also use other techniques to redirect users to malicious pages. These include a combination of the following stealth tactics:
- Geo-targeting or IP delivery, which utilizes a user’s IP address to determine his/her geographic location and to deliver different content specific to his/her location.
- Blog scraping, which refers to regularly scanning blogs to search for and copy content using an automated software.
- Referer page-checking, which ensures that only users arriving via search engines will be included in the infection chain and prevents security analysts or system administrators to see anything malicious when they arrive via direct access to a doorway page.
- User-agent filtering, which refers to distinguishing between browsers to enable the OS-specific download of payloads.
After successfully employing any of these techniques, cybercriminals then lead users to a page hosting a bogus message prompt. These messages urge users to check the fake scanning results, which have been designed to scare them into purchasing the fake antivirus program.
Through these techniques, FAKEAV has become a recurrent theme in the threat landscape, as evidenced by another FAKEAV variant detected as TROJ_FAKEAV.QIEA. Trend Micro engineer Roland de la Paz notes that this new variant employs the same blackhat search engine optimization (SEO) technique that leverages man’s innate curiosity. As long as users turn to search engines like Google, Yahoo!, and Bing for more information, we can expect cybercriminals to carry on with their effective modus operandi.
Trend Micro product users need not worry, however, as Smart Protection Network™ already protects them from FAKEAV-related attacks by preventing access to malicious sites and domains via the Web reputation service. It also blocks the download and execution of related malicious files like TROJ_FAKEAV.QIEA on users’ systems.