SEO techniques and malware: Don't move or I'll redirect!

Filed Under: Malware, SophosLabs, Spam

Search engine optimisation (SEO) techniques have received a fair of attention recently, thanks mostly to their use in fake AV distribution. In this blog, I will describe an interesting piece of JavaScript I came across whilst investigating some SEO pages.

In a typical SEO attack, when the victim clicks through to the SEO page from the search engine results, they are immediately redirected to the target site (be that designed to infect them with malware or show them spammy services/goods). This is normally achieved using one of the following methods:

  • 302 redirect
  • JavaScript driven redirect
  • Flash (ActionScript) driven redirect
  • META redirect

The SEO pages I was looking at this week used an interesting JavaScript for the redirection. The script is shown below:

As you can see, the redirection is a little more obscure than the usual simplistic location.href=_some_url_! The script adds an event listener to the document using addEventListener or attachEvent for Mozilla et al. and IE respectively.

Upon the mousemove event firing, the exit() function is called, incrementing a counter. Once that counter hits 3, an anchor element is added to the page, and the redirection is delivered. A curious exercise in making the simple overly complex and cumbersome! Seems like the use of "hiding in plain sight" tactics in an attempt to evade detection.

The target of the redirect is changing (of course), but thus far the SEO efforts seem to have been focused on shifting software and other products.

In addition to blocking access to the target spammy pages via URL filtering, the malicious redirect script is also blocked as Troj/JSRedir-BU by Sophos products.

,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.