More fake anti-virus SEO poisoning

Over the past few days, we have seen a sharp rise in the volume of Troj/JSRedir-Z reports. So what does this detection correspond to? Basically, it is detection for the redirect script that is being used within SEO pages to redirect people to fake AV sites.

Using kits to create these keyword stuffed pages on legitimate sites enables fraudsters to get their pages high up in the search engine results, and thus likely to attract user traffic. Frequently SEO pages use topical news stories or celebrity gossip to attract users. In this current attack the fraudsters clearly seem to be getting some success with an “educational theme”.

Both teachers and parents will know that one of the great things about the web, is the easy access to numerous resources for children. For example, pictures to print out and colour in, or educational resources such as maps or charts. And how do you find such resources? You guessed it, a search engine.

Are you a teacher looking for a wall planner?

Or a pupil doing your biology homework?

The above screenshots show Google search results, and the malicious redirect pages have been highlighted. SEO poisoning is not specific to Google of course. Malicious redirects are clearly visible in the search results for other engines. For example, looking for ‘Eric the Red’ pictures via Yahoo:

Taking a look through the recent Troj/JSRedir-Z reports, we are able to inspect some of the search terms being used which are leading people to these malicious fake AV redirect pages.

7th+math+properties+printable+worksheet
action+verb+printable+worksheets
award+certificate+printable
blank+map+of+west+africa
bulletin+board+borders+printable
calvin+and+hobbes+printable+comics
coin+printable+worksheet
college+math+printable+worksheets
constellations+printables+for+kids
eric+the+red+printable+pictures
free+daycare+forms+and+printables
free+math+printable+columbus+day
free+online+printable+birthday+party+invitations
free+printable+spanish+worksheets
free+printables+rhyming+worksheets
free+printable+word+wall+words
free+printable+world+map+outline
free+weekly+planner+page+printables
kids+free+printables
months+in+a+year+printable+worksheets
printable+anatomy+pictures
printable+blank+comic+strips
printable+blank+timeline+template
printable+worksheets+on+the+digestive+system
printable+worksheet+tornado+alley
school+theme+border+printable+paper
snip…

As noted above, the redirect pages are all being hosted on legitimate sites. A PHP driven kit is being used, and from the last modified date on the PHP file itself, the attack is currently active (September through to 08 October).

Checking through the affected sites, the vast bulk are all hosted by a single ISP, based in the UK. We will be contacting them shortly to alert them to their problem.