We regularly blog about how cybercriminals misuse newsworthy events in order to gain profit for themselves. In the past 24 hours, TrendLabsSM has tracked multiple FAKEAV attacks that try and trick users searching for help following the recent McAfee update 5958 incident. This determination by cybercriminals to cause further problems and inconvenience to innocent end users and businesses is, in many respects, not surprising.
We at Trend Micro are keen to help users identify these FAKEAV scams before they can be affected.
In a recent post on how blackhat SEO leads to FAKEAV, “Doorway Pages and Other FAKEAV Stealth Tactics,” advanced threats researcher Norman Ingal described important telltale signs of malicious search results, specifically that their URLs follow this pattern:
This can help users spot malicious results. Ingal further adds that the title of the page (the text that appears in bold heading style in search results lists) is generally the same as the keywords used. The same pattern has appeared time and again in our investigations related to blackhat SEO attacks.
Only this week, the search results to the following keywords were also found to carry redirections leading to rogue antivirus software:
- who got voted off american idol april 21
- dancing with the stars elimination april 2010
- goldman sachs sec filings
- boston marathon results
- april 20th weed day
The following is a demonstration of what our engineers found when they began to track search results leveraging the recent security incident:
These results lead to redirections that end up in now-usual extortion schemes where users are presented with fake infection signals to convince them to pay for software they do not actually need. Trend Micro detects variants and components of these attacks as FAKEAV.
Trend Micro™ Smart Protection Network™ already protects product users from blackhat SEO attacks of this kind by preventing access to malicious sites and domains via the Web reputation service.
Web reputation is a much faster option for blocking new threats than waiting for signatures. With this attack, we could be looking at thousands of new malicious files that have to be processed versus a single domain.
Users should, by now, be aware that trusting results from search engines is no longer as safe as previously thought. The clues we mentioned above can help users weed out legitimate results from suspicious ones. For users who are concerned about being infected, Trend Micro HouseCall is a free tool that scans for malware infections and other security threats.
Other blackhat SEO attacks in the recent weeks from the Malware Blog include: