Scareware scammers exploit 9/11

Just when you think the hackers couldn’t get any lower, they plumb new depths.

Cybercriminals hell bent on infecting users with scareware by displaying fake anti-virus scans are hacking legitimate webpages and stuffing them with keywords related to the 9/11 terrorist attack on the United States.

Using search engine optimisation (SEO) techniques, the hackers hope to push their poisoned webpages higher up in Google’s search results.

Sophos has discovered a number of such hacked pages in the last 24 hours.

In the below example, the hackers are using the name of Tania Head, a woman who claimed to have been in the Twin Towers when they were hit, but was later found to have fabricated her story.

Hacked webpages posing as information on 9/11 attempt to strike visitors with scareware

Sometimes the hackers create brand new webpages (using newly registered domains), filling them with content that they hope will make them more popular in search engine results.

However, the sheer fact that they are newly registered domains can mean they are treated with greater suspicion by the search companies than domains that have been around for some time. This clearly works against the interests of the hackers.

What we are seeing is that hackers are breaking into existing websites, creating webpages that are stuffed with relevant keywords in the hope that they will end up higher in search results and also benefit from the fact that the domain has existed for some time.

Of course, however you stumble across the poisoned webpage, the end result remains the same. A fake virus scan designed to fool you into thinking you have a security problem on your computer, hoping you’ll be tricked into downloading the hacker’s malicious code:

Scareware scan

Sophos security solutions proactively detect the malicious JavaScript on the scareware webpage Mal/FakeAvJs-A and the Windows executable it tries to download as Troj/FakeAv-AAQ.