SEO : Search Engine Optimization.
No, it's not another buzz word. It's a technique used by malware authors to propagate their malware. They use one of the most respected search engines today (Google) to make their way into the user's machine. Piggybacking on a prestigious, and highly trusted search engine is an efficient and effective way to reach out to billions of users worldwide.
Rogue AVs usually use this method. They create fraudulent sites (site A) which redirects to another site (site B) which in turn downloads Rogue AVs into the system. The malware industry makes sure that Site A gets a hit during Google search by targeting search queries that are sensational or new, for example, the Haiti earthquake.
In light of this, users are advised to be vigilant when accessing sites. When even Google is used as a medium by malwares, blind trust on returned links is unacceptable.
Showing posts with label seo. Show all posts
Showing posts with label seo. Show all posts
Friday, March 5, 2010
Disasterware strikes again, as they call it!
The magnitude 6.4 earthquake does not only rattle Taiwan but even the internet users as well. It is another opportunity for Malware writers to poison returned results from searches about this disaster. It now became a constant attack every time there is major news, earthquake, tsunami or any other event that would call the attention of the people. It seems now it guarantees every news has equivalent virus site. This abused infection vector by fake AVs serve as a warning.
Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.
I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.
Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.
I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.
Monday, March 1, 2010
Chilling rogues on Chile
Shortly after the Haiti earthquake incident, the world is rocked again with the news of the Chile earthquake. And with the wave of searches on google about the Chile earthquake, malware authors have once again taken this opportunity to proliferate rogue antipsyware.
Searches returned from google are generally not suspect, especially if they bear URLs that seem normal. But one particular site (bostonmassduilawyer.com/ypi.php?...chile-earthquake-videos) when accessed will redirect you to http://188.124.5.159/index.html.
This site will display a fake system scan using an HTML page, and clicking anywhere on the page will prompt the user to download the INST.EXE file (SecurityTool fake AV). It also displays annoying popups that feeds FUD to users (FUD: Fear, Uncertainty, Doubt).
INST.EXE is just another Security Tool installer. Shortly after executing, it will display a fake scan showing some bogus results. Attempting to activate it will lead you to a page where they offer you a 2 year software license of $49.95, and a lifetime software license of $79.95. Looks tempting, but it's just a ploy to part you with your money. In truth, it's one hell of a hefty price to pay for such a useless and annoying scareware.
Searches returned from google are generally not suspect, especially if they bear URLs that seem normal. But one particular site (bostonmassduilawyer.com/ypi.php?...chile-earthquake-videos) when accessed will redirect you to http://188.124.5.159/index.html.
This site will display a fake system scan using an HTML page, and clicking anywhere on the page will prompt the user to download the INST.EXE file (SecurityTool fake AV). It also displays annoying popups that feeds FUD to users (FUD: Fear, Uncertainty, Doubt).
INST.EXE is just another Security Tool installer. Shortly after executing, it will display a fake scan showing some bogus results. Attempting to activate it will lead you to a page where they offer you a 2 year software license of $49.95, and a lifetime software license of $79.95. Looks tempting, but it's just a ploy to part you with your money. In truth, it's one hell of a hefty price to pay for such a useless and annoying scareware.
Tuesday, February 23, 2010
SEO Poisoning scores a goal at the 2010 Winter Olympics
The Hockey games on the 2010 Winter Olympics are well under way and SEO poisoning attacks abound! Hockey enthusiasts turning to the Internet in search of game schedules are in for quite a surprise as cyber-criminals are quick to ensure that their malicious websites appear in the top Google search results.
Redirection
Unsuspecting users who click on the malicious search results are redirected to a fake My Computer online scan page. Here is where the bad guys attempt to 'scare' their way into the user's computers.
Fake My Computer online Scan
Message displaying false detections on the user's computer
Navigating Away
Users attempting to manoeuvre away from the malicious website are presented with the following message and are left with very little choice:
Countermeasure Against the Good Guys
Malware researchers often share URLs with each other as a way of spreading the news and to warn others and prevent further infection. But the bad guys behind this attack are smart enough to devise a countermeasure. The URLs are no longer enough to replicate the attack. Entering the URL directly on the browser simply redirects the users to the CNN website.
CNN Website
Download
The fake My Computer online scan page ultimately offers a solution to in the form of an installer of the fake antivirus software called Security Antivirus.
File Download
The Works
As with other fake security software, Security Antivirus displays a decent graphical user interface to give its victims that warm fuzzy feeling of installing a legitimate software that will protect their computer.
As mentioned in a previous post, Security Antivirus is a clone of Live PC Care, Windows Security Suite, and Windows System Suite.
Installation
Fake Scans
Annoying Pop ups
As unsuspecting users would like to remove all the purported detections found on their machine, Security Antivirus requires activation. And for a lifetime subscription, victims would have to say goodbye to a hefty $89.95 from their hard-earned cash.
Activation
License Selection
Credit Card Payment
Entering credit card details here seals the deal. But there's no stopping the bad guys from abusing the information they have collected.
If you have been a victim of this attack, immediately contact your credit card company to get your money back and to make sure there will be no future unauthorised charges.
Also, when searching for information relating to the Winter Olympics, it always a good idea to turn to reputable sources like news networks and of course the official 2010 Winter Olympics website.
Tuesday, September 22, 2009
Another Shameless SEO based on Atlanta Flooding
Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.
Here's a screenshot of a google search result:
A Fiddler capture shows us the redirections:
So we go from
An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.
At the moment, the following domains have been observed to have been involved in this attack:
These domains resolve to the following IP addresses:
But knowing the trend in scareware, there could be heaps more domains being created as we speak.
Here's a screenshot of a google search result:
A Fiddler capture shows us the redirections:
So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVNAn installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.
At the moment, the following domains have been observed to have been involved in this attack:
winfixscanner7(dot)com
15scanner(dot)comThese domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60But knowing the trend in scareware, there could be heaps more domains being created as we speak.
Subscribe to:
Posts (Atom)