Trend Micro researchers were alerted of blackhat SEO campaigns that led to FAKEAV or rogue antivirus. The cybercriminals behind these attacks hitchhiked on high profile news like the recent death of Patrick Swayze, Kanye West’s infamous interruption on MTV VMA awards, and the death of Yale student Anne Le.
Upon further analysis, our researchers discovered that the poisoned keywords are not only limited to recent events. According to Advanced Threats Researcher Joey Costoya, there are many hijacked search items that point to FAKEAV.
Here are some of the search terms:
- Act Registration
- Alan Thicke
- Archer FX
- Archer Fx
- Beaches Movie
- Cbs Survivor
- Community Imdb
- Community Nbc
- Community Show
- Community Tv
- Delta Smelt
- Dina Meyer
- Divas Live 2009
- Ernie Anastos
- Fx Network
- Gillian Jacobs
- Grandma S Boy
- Huron Ca
- Huron California
- Janet Napolitano
- Joel Mchale
- Kanye West Interruption Video
- Katherine Heigl Baby
- Melinda Loveless
- My Date With The President S Daughter
- Polwizjer
- Ralphie May
- Russell Hantz Oil Company
- San Joaquin Valley
- Sniffish
- Starship Troopers
- The Gang Exploits The Mortgage Crisis
- The Office Gossip
- The Valley Hope Forgot
- Volkswagen L1 Concept
These search strings might be based on Google Trends as it shows the top searches people made in Google. These hijacked search strings are then linked to sites that served FAKEAV.
In addition, the cybercriminals behind such attacks are doing GeoIP checks. If the user sports a US IP address, the FAKEAV sites emerge. Otherwise, accessing the URL will produce an HTTP 404 page. Thus our advice for users from the US which are obviously singled out as the target of these attacks: Be extra careful!!
SEO poisoning is becoming the main contraption of rogue antivirus applications. It often rides on current events as we had blogged before in the following posts:
- FakeAV for 9/11
- California Bush Fires Spark Blackhat SEO Campaigns
- Cory Aquino’s Death Used to Spread Another FAKEAV
- “Solar Eclipse 2009 in America” Leads to FAKEAV
- Blackhat SEO Quick to Abuse Farrah Fawcett Death
Users are advised to be cautious in their Web searches and to visit credible websites only. Trend Micro already blocks and detects all malicious URLs through its Trend Micro Smart Protection Network.