Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine.

    Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). The said compromised sites are rigged with malicious JavaScript malware detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC trigger a set of redirections whenever users visit compromised sites. The redirections ultimately lead to a rogue search engine, which by default puts the original search string into its own search text box.

    As of now, the cybercriminals’ goal in all these seems to be hijacking search traffic from search engines and redirecting them to their own ones to earn money. If it stays as such is not yet known but users need to be wary since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

    A diagram illustrating how hijacking searches work is shown below.

    Click for larger view

    It is very possible that this blackhat SEO attack takes advantage of the fact that the interest in free printable items is relatively high, especially in South Africa and in the United States.

    We are strongly advising users not to use search strings that include the words “free printable,” as the results may lead to malicious websites.

    We are currently monitoring this attack and will update this entry for developments.

    Update  as of January 27, 2010, 5:30 p.m. (GMT +8:00):

    Below are screenshots of a page (and its source code) found inside a hijacked website that comes up when using the search string “free printable (some item).”

    Click for larger view Click for larger view

    The compromised sites were made to host these pages ridden with keywords in an attempt to lead users to eventually execute the malicious JavaScript malware.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice