Tweet

Cybercriminals have been found riding on Brittany Murphy’s sudden death to scare people into buying FAKEAV. Searching for keywords like “brittany murphy’s death” on Google resulted in at least two suspicious URLs:

• http://{BLOCKED}erracing.net/vwb.php?sell=brittany%20murphy%20death
• http://{BLOCKED}x.net/icd.php?go=brittany%20murphy%20death

The spike in searches on Murphy’s death has become the theme for the latest blackhat search engine optimization (SEO) attack, which pushed malicious sites to redirect users to scareware portals. These portals have been injected with a malicious script detected by Trend Micro as HTML_FAKEAV.WAF.

Users who click poisoned search results will be alerted to supposed malware infections via a fake message prompt, followed by bogus scanning results and another message prompting them to download a FAKEAV to rid their system of the infection.

HTML_FAKEAV.WAF also accesses URLs (detected by Trend Micro as JS_RENOS.WCF) to download more malware and TROJ_KRAP.DAM (a damaged FAKEAV installer).

Users are thus advised to rely only on trusted news sites for reports on Murphy’s death to prevent system infection. By now, they should have learned that cybercriminals often use celebrity deaths to further their malicious causes as shown in earlier blog posts:

• Michael Jackson Video Leads to Malware Download
• Compromised Sites “Heath” It Up
• Blackhat SEO Quick to Abuse Farrah Fawcett Death

Trend Micro product users are protected from this threat by the Smart Protection Network, which blocks user access to related malicious sites and prevents the download of the malicious scripts.