Blackhat search engine optimization (SEO) campaigns use malicious techniques to promote websites so these come up as the top search results for certain keywords. Blackhat SEO campaigns use compromised FTP credentials to upload keyword-laden Web pages to legitimate sites, boost their placement in search engines, and redirect traffic to the malicious pages, usually FAKEAV landing pages.
This post analyzes an ongoing blackhat SEO campaign from a well-known blackhat SEO operator that has been abusing Google’s Image Search to redirect Mac OS users to FAKEAV that have been specifically designed for Macs and Windows OS users to either FAKEAV landing pages or sites that host the Black Hole Exploit pack.
In just one month, this campaign was able to redirect nearly 300 million hits from 113 million visitors to the malicious landing pages. In addition to generating pages full of bad links and keywords to boost search engine results ranking, the operator also embedded images taken from legitimate sites so its pages can get a high Google Image Search index.
TDS Campaign Leads to FAKEAV and the Black Hole Exploit Pack
To date, we were able to identify 4,586 compromised servers that have connected to the blackhat SEO command server to retrieve updated redirection scripts. These compromised servers receive two types of malicious URLs used to redirect visitors. The first type of landing page is the traditional FAKEAV scanning page. This particular campaign uses 116 domain names. The second type of landing page is a Traffic Direction System (TDS) page, which uses 176 domain names.
TDS pages are used as landing pages to direct traffic to malicious content based on a variety of criteria such as OS, browser version, and geographic location. This particular campaign uses the well-known SUTRA TDS to redirect users to FAKEAV landing pages or to pages that host the Black Hole Exploit pack.
Data shows that this TDS redirected 68,386,286 hits from 26,715,046 visitors in just the first 10 days of May 2011. In the past 30 days, it redirected 220,175,652 hits from 82,568,468 visitors. In total, the TDS recorded 296,413,984 hits from 113,454,246 visitors.
Largest Unique Traffic Came from the United States (Windows OS)
The SUTRA TDS also keeps track of the geographical location of each visitor based on his/her IP address. The geographical data presented below is based on 194,633,322 hits from 73,540,527 visitors. The United States accounts for 24.4 percent of the total traffic (27.5 percent of the unique traffic), followed by India and Mexico.
Here are the top 10 countries with the largest unique traffic:
The SUTRA TDS also records the visitors’ user-agent or Web browser version, which also reveals what OS they use. Of the 188,128,986 raw number of hits, Windows OS accounted for 92.5 percent (174,180,938) while Mac OS accounted for 7.3 percent (13,892,964 hits). Interestingly, 55,084 hits came from PlayStation consoles and 12,376 came from iPads.
Although several malicious operators already monetize the Mac traffic by redirecting users to ads, we now see FAKEAV variants specifically target Macs apart from the usual Windows-based systems.
In the said FAKEAV campaign, the landing page was specially crafted to imitate the look and feel of the Mac OS. Its content prompted users to install the rogue antivirus software detected by Trend Micro as OSX_FAKEAV.A. Once installed, it supposedly scans the affected users’ systems and warns them of bogus infections. Then it convinces them to buy the fake software’s full version to clean their systems.
This campaign again demonstrates how effective blackhat SEO techniques are in driving traffic to malicious websites. In just over a month, blackhat SEO operators have redirected nearly 300 million hits to malicious Web pages such as FAKEAV landing pages, one of which was specifically designed for Mac OS users, and pages hosting the Black Hole Exploit pack. Despite low conversion rates in terms of exploitation and FAKEAV downloads or purchases, this operation is still likely generating a considerable amount of money for its operators.