SEO blogger victim of malicious SEO attack

On Friday evening I was talking to a North American customer who had been fighting with infections caused by SEO poisoning. They mentioned a particular search term that could generate new samples of FakeAVs. The funny thing was that the website hacked by the SEO poisoner was a blog of someone trying to promote legitimate business use of SEO technologies..

If you click on any of the links returned by the search you would be redirected to an Indian site containing this image:

After allowing scripts on an unprotected/filtered machine I quickly saw the pop up:

Eventually, you will be prompted to download an executable

Quick Scanning

>>> Virus ‘Troj/FakeAV-AYU’ found in file packupdate_build9_195.exe

The Indian websites are actually detected as malware:

Quick Scanning

>>> Virus ‘Mal/FakeAvJs-A’ found in file Security Threat Analysis.html

So customers searching behind a Sophos web security appliance, or browsing with the BHO enabled would be blocked from accessing the Indian website.

For those customer who don’t have a Sophos web security appliance or don’t use IE there is hope. Sophos will soon be opening a beta for Endpoint Security and Control 9.5 which includes “Live Web protection for fixed and mobile endpoints, blocking access to malicious URLs”. To register for this Beta or find out more about the Beta Program follow this link.