Easter eggs, with a side order of scareware

Filed Under: Featured, Malware, SophosLabs

Several weeks ago, in early February, I asked the question "Is this the resurgence of Blackhat SEO?". At the time we had seen a definite increase in the volume of search engine optimisation (SEO) attacks that we were blocking, but it was a little too early to predict whether that trend would continue.

So what is the situation now? Well, as you can see from the data below, the trend has certainly continued. The volume may not be up to the levels we experienced in mid-2011, but clearly the attackers are finding some success with gaming the search engines.

Remember, it is trivial for the attackers to predict popular search terms. So with Easter imminent, it is not surprising that SEO attacks we have seen this week have used topics such as 'eggs', 'chocolate' and 'bunnies'.

This is a good time to remind people about the dangers of blindly trusting search engine results. The screenshots below (video coming shortly), were all taken from a machine infected after searching for the following:

easter eggs + decorating tips easter secrets

As you can see below, when I clicked on the first search result returned, fake anti-virus (scareware) is what's on the menu. At the time of writing, the scareware being installed calls itself 'Windows Care Taker'.

A variety of rogue .info sites are used in the scareware installation, with fresh ones being registered and used all the time.

monitorpreventionvulnerability dot info
controldebugprotect dot info
trojansperilsperformance dot info
etc

The reason why SEO attacks are successful, is that all of us tend to trust search engine results. After searching for something we happily click any of the links high up in the first page of results.

So, what can you do to protect yourself against these attacks?

  • install a reputable security product. Sophos products block these attacks at several levels (URL filtering plus several generic detections for the various components involved in the attack: Mal/SEORed-A, Mal/FakeAvJs-A, Mal/FakeAV-PY).
  • before you click on search engine results, cast a quick glance at the site in question. This may not always help, but if the domain looks completely unrelated to the topic you are interested in, think carefully before clicking.
  • for those of you using browsers that support plug-ins, you may want to consider hiding/modifying your referrer. As explained previously, the SEO attacks rely on knowing you came via a search engine when you click through to the SEO page.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.