With Halloween just a few weeks away, you can bet everyone’s preparing. Kids, and also adults, are probably looking for the perfect costume they’ll wear to scare each other off in the spirit of the holiday.
Unfortunately, just searching for the perfect costume might render users the victim of a quite more grave type of scare tactic.
Advanced Threats Researcher Ivan Macalintal reported of search results to queries for “halloween costumes” yielding compromised legitimate webpages.
Webpages seem to have been inserted onto legitimate websites as part of another SEO manipulation plot. As Threat Researcher Lennard Galang explains, “Usually in SEO Poisoning Attacks, malware authors compromise websites that are already top ranked in search engines, which may not be related to one another. Once compromised, they insert a specially crafted webpage on the compromised website so as upon using search engines or site searches, they can easily be visited or referred to.”
In this case, the inserted webpage on the compromised websites are rigged with the keyword “halloween costumes” in order to be yielded as a result whenever a search for the said string is conducted. The webpages are loaded with a JavaScript that starts a series of redirections which is hidden from the user, then finally leading to a page that displays the following message box:
Figure 1. Silent redirections lead to this page.
Not surprisingly, the final payload for this attack is the installation of yet another rogue antivirus. Clicking “OK” on the message box will download Antivirus 2009, which is one of the notorious rogue av programs recently reported.
Figure 2. Clicking on the message box downloads a fake antivirus
This attack bears a striking resemblance to a similar attack last year, where searches for christmas gift shopping also generated nasty results. Also just a couple of months back, SEO manipulation was also used to distribute rogue AV.
However, Trend Micro customers need not worry of being affected by this threat, as the downloaded file AntiMalware2009Installer.exe is already detected as Mal_FakeAV6 by the Smart Protection Network. All malicious URLs are blocked as well.
