Yesterday’s solar eclipse over parts of Asia was witnessed by millions of people, so it shouldn’t come as a surprise that it should attract the attention of cybercriminals. And it has. Cybercriminals wasted no time in riding on the said phenomenon as they use SEO poisoning to lead users into redirecting to a site peddling rogue antivirus software (FAKEAV).
According to Senior Threat Researcher Joey Costoya who discovered the said attack, when users query the phrase “solar eclipse 2009 in America” in popular search engines, certain top ranking sites would redirect users to a malicious site under the domain name antispyware-scannerv3 where the FAKEAV is hosted. Trend Micro detects this variant of rogue antivirus as HTML_FAKEAV.FT.
The following are screenshots of the rogue antivirus online scanning page and the scanning results:
The Smart Protection Network protects Trend Micro users from this threat by blocking access to the malicious sites so that even if curious users click on rigged search results they do not end up on rogue antivirus territories. Furthermore, Trend Micro already detects and cleans the rogue antivirus components related to this attack.
This is not the first time an eclipse was used to bait users to download malware. Read more about that in the blog entry Dark Shadows Lurk after Lunar Eclipse.