Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    With Halloween just a few weeks away, you can bet everyone’s preparing. Kids, and also adults, are probably looking for the perfect costume they’ll wear to scare each other off in the spirit of the holiday.

    Unfortunately, just searching for the perfect costume might render users the victim of a quite more grave type of scare tactic.

    Advanced Threats Researcher Ivan Macalintal reported of search results to queries for “halloween costumes” yielding compromised legitimate webpages.

    Webpages seem to have been inserted onto legitimate websites as part of another SEO manipulation plot. As Threat Researcher Lennard Galang explains, “Usually in SEO Poisoning Attacks, malware authors compromise websites that are already top ranked in search engines, which may not be related to one another. Once compromised, they insert a specially crafted webpage on the compromised website so as upon using search engines or site searches, they can easily be visited or referred to.”

    In this case, the inserted webpage on the compromised websites are rigged with the keyword “halloween costumes” in order to be yielded as a result whenever a search for the said string is conducted. The webpages are loaded with a JavaScript that starts a series of redirections which is hidden from the user, then finally leading to a page that displays the following message box:

    Figure 1. Silent redirections lead to this page.

    Not surprisingly, the final payload for this attack is the installation of yet another rogue antivirus. Clicking “OK” on the message box will download Antivirus 2009, which is one of the notorious rogue av programs recently reported.

    Figure 2. Clicking on the message box downloads a fake antivirus

    This attack bears a striking resemblance to a similar attack last year, where searches for christmas gift shopping also generated nasty results. Also just a couple of months back, SEO manipulation was also used to distribute rogue AV.

    However, Trend Micro customers need not worry of being affected by this threat, as the downloaded file AntiMalware2009Installer.exe is already detected as Mal_FakeAV6 by the Smart Protection Network. All malicious URLs are blocked as well.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice