Scareware SEO attack exploits engagement of Prince William and Kate Middleton

Yesterday, the news wires were hot with the announcement of the engagement of Prince William to Kate Middleton. As ever with hot news stories, one thing is inevitable. It is just a matter of time before the story is picked up and used in blackhat search engine optimisation (SEO) attacks.

Here’s a YouTube video demonstrating the attack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Searching for ‘kate middleton + william’ revealed a huge number of results, including several images on the first page of the results.

Royal family engagement images

Unfortunately, some of these images are actually within malicious SEO pages, and clicking through to them results in an immediate redirect to a rogue web site, where the user is greeted with a warning message.

Warning message

From here on, it is the usual fake anti-virus trickery, starting with the fake system scan.

Fake anti-virus scan

The user is tricked into downloading and installing the fake anti-virus (which is using the filename inst.exe at the time of writing). Once installed, our old friend Security Tool runs a scan of the system.

Fake anti-virus

Happily Sophos customers are pro-actively protected from this spate of attacks – the fake anti-virus malware is already detected (as Mal/FakeAV-EE).

For those looking to understand a little more about how SEO attacks are constructed, take a read through the paper we recently posted.