" seo "

Fake AVs lure victims using Ford as a bait

Panda Security’s antimalware laboratory has revealed that cyber-crooks are exploiting the current upheaval in America’s motor industry by launching a black hat SEO (Search Engine Optimization) attack using the name of embattled American car manufacturer Ford Motor Co. as bait to distribute malware on the Internet. The IT security vendor has discovered 1.2 million results in searches related to Ford which point to these malicious pages.

“If users searching for information about Ford click one of the malicious results, they are taken to a webpage in which it seems as if they are about to see a video,” explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “If they try to watch the video, they will be prompted to download another program. This program, however, is really a fake antivirus. Panda has detected two fake antivirus programs that are distributed in this way: MSAntiSpyware2009 and Anti-Virus-1.”

These fake antiviruses are designed to make users believe that their computers have been infected by malware. They do this by simulating a scan of the system and supposedly detecting malware. Users are then offered the chance – through pop-ups and banners – to buy the pay version of the fake antivirus to clean their computers. If they don’t buy it, the malicious code will prevent the computer from operating properly in an attempt to force users into buying the product.

Over the last year, this type of malware has increased significantly. According to data from Panda, the number of variants of fake antiviruses has increased one hundredfold between the first quarter of 2008 and the corresponding period in 2009. In fact, in the first three months of 2009 no less than 111,086 new strains of fake antiviruses were detected – 20% more than in the whole of 2008.

“What’s interesting about this attack, however, is that this is one of the only black hat SEO attacks to focus on a single brand,” concludes Matthews.

Watch a video describing the infection process here.

For more information about this infection, go to the PandaLabs blog.

Blackhat SEO fuels rogue security campaign

In our previous post, we looked at SEO being used by cyber-crooks to distribute malware – especially fake antivirus. In this post we look at a specific example of this happening: Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here. Below is an example of one of hijacked searches:

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software like below:

Sample hijacked search terms include the following:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

Post by Sean-Paul Correll, PandaLabs.

Cyber-crooks manipulate Google searches to sell fake antivirus products

Panda Security has revealed that cyber-criminals are manipulating search engine results to distribute malware, in particular, fake antivirus products.

‘The reasons for this is simple – the criminals need to attract users to malicious sites in order to infect them,’ says Jeremy Matthews, head of Panda’s sub-Saharan operations. ‘What’s new, however, is the inventive ways they are drawing users to these Web pages.’

In the past, users were lured to compromised websites by means of massive sending of spam. Targeted users read emails, clicked on the links they included and were unwittingly directed to a malicious Web page. Now, there’s a change in strategy: due to the fact that users are more wary of messages received from unknown senders, criminals are using more effective ways of ensnaring new victims. They are using a Google tool called Google Trends which, among other things, lists the most popular searches of the day – anything from Obama’s inaugural address to the Oscar nominations).

Once they know the top searches and hot topics of the day, they create a blog full of the most searched for words (e.g. Obama, Penelope Cruz etc.) and videos supposedly related to these topics. This way, they increase the blog’s ranking to place it among users’ first search results.

“Users who trust these results will end up on a Web page where they will be asked to download a codec or plug-in, etc. in order to watch the video. If they do so, they will be downloading malware – in most cases a fake antivirus,” explains Matthews.

Fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.

SEO techniques

This type of attack is benefiting from advanced SEO (Search Engine Optimization) techniques. These are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a website and improving its ranking in search engine results lists. This is the case of the webpage selling the Malwaredoctor fake antivirus, designed specifically to achieve a high ranking in search engines (for more info about this phenomenon click here).

In addition to standard SEO techniques, attackers are also using techniques known as “Black Hat SEO”, which could be described as illegal search engine positioning techniques used to by-pass search engine policies, present alternative content or affect the user’s experience. Occasionally, it can be difficult to determine which techniques are legitimate or not, as this can depend on the policies of the search engine.

Attack obfuscation

Attackers are always keen to make malicious site identification for anti-malware vendors harder.  In order to do this they are starting to use a more advanced way of launching these attacks. Some of the malicious pages they handle behave differently and show different content depending on the origin of the user that visits them.

In order to hide the attack, a script is inserted that determines the origin of the visitor. If a user types the URL they want to visit in the browser bar, the legitimate, correct content is displayed. However, if the user has come from a manipulated Google search, they will be taken to the malicious Web page.

MSAntispyware 2009: A different example

PandaLabs recently detected a Web page that appeared to establish a new model. While generally pages selling fake antiviruses either do not contain specific tags or those they contain are designed to improve indexing in search engines, the page from which MSAntispyware 2009 was distributed represented a significant change. Here, all the tags and processes were designed to prevent the page from being indexed in search engines.

The reason for this was to make it more difficult for malware analysts and security companies to prevent infections by techniques such as the blocking URLs through search engine queries with specific parameters.