Tsunami blackhat SEO begins

Unfortunately, as Graham Cluley regularly blogs, any breaking news topic tends be exploited by hackers who use Search Engine Optimization (SEO) to lure people to visit their malicious pages. Today’s news of a large earthquake in Chile seems to be no exception.

The second link in my search results for the most popular trending topics on Google seemed suspicious.

Google search results

I contacted SophosLabs and asked them to look into it. It appears to be a normal website with information and videos about different Asian tsunamis over the past few years. It is difficult to tell whether this particular page was SEO-optimized, or was an innocent victim of a malicious script.

Screenshot of infected site

SophosLabs got back to me that this page contains some obfuscated malicious JavaScript that we detect as MAL/ObfJS-R. This script was appended after the normal code on the page.

Obfuscated JavaScript

The code above ultimately redirects your browser to a domain known to SophosLabs as a malware repository. As of this moment, the code does not appear to be dropping malware, although that could change at any time.

When you search for breaking news, be aware that attackers often publish links faster than the legitimate media. Get in the habit of using Yahoo! News, Google News, or another trusted service. Only news published by trusted media sources are aggregated onto these services, unlike a regular search using your favorite search engine.