Insight into fake AV SEO

Readers of the Sophos blogs will probably have seen the post Graham made about the ‘killer whale video’ SEO attacks. We have described SEO attacks before (for example here). In this post I want to highlight how these attacks are working, and how Sophos protects you against them.

  1. Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue).
  2. When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below).
  3. There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple).
  4. Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application.

So how do you protect against these attacks? Of course, detected the fake AV itself is important, and as Graham indicated, Mal/FakeAV-BW does just that for this spate of attacks. But there are additional layers of protection as well, which are equally important.

The first is URL filtering – blocking access to the malicious sites used in these attacks. This is highly effective, made ever more challenging with attackers continually using freshly registered domains (.in being a current favourite). On top of this, detection of some of the redirect pages themselves can be really valuable. Earlier this week I added Troj/JSRedir-AT for this very purpose. Additionally, detection for the scripts used in the fake AV distribution sites themselves provide another tier of protection (blocked as Mal/FakeAvJs-A). With this detection in place, when the user clicks on the SEO link in the search engine they simply see a block page and the attack is thwarted.

If I look through some of the URLs on which we have been detecting Troj/JSRedir-AT over the past 24 hours, I can extract the search terms that the user was using. The usual suspects are present: ‘killer whales’, ‘Winter Olympics’, technology, Tiger Woods (sigh) and ‘American Idol’ (bigger sigh).


As ever, it is the combination of product technologies that provide the best protection against such threats.