One of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.
So he did what any of us would probably do. He Googled it.
215 euro to usd
Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:
It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.
What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.
The good news is that Sophos can offer a layered defence against this attack.
The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.
The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.
Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.
Neat!
We see online criminals poisoning search engine results using blackhat SEO techniques a lot.
Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.
It’s a great read. Check it out now.
My partner used a google search to find a pdf document of interest, but when he clicked on the link in Google was taken to an unrelated page which then loaded and ran one of those fake anti-virus viruses. We'd never seen that happen before!
He should have gone to www.xe.com you can convert any currency to any other.
Or use the built in converter into Google (top result). Rarely do I click on the other links when searching for currency.
1st I object to the suggestion that this has anything to do with Google – or currency conversion, for that matter. The same could and would happen using any other search engine with virtually any other search term. Second, it's good to know about this, but could you be a litte more specific on what to DO about it?
As much as I like your free anti-virus, most of these Sophos articles published on FB appear to be little more than teasers to draw traffic to your site. And thereby, and thereby in it's method not so terribly different from some of the scams you warn us against !!
Not suggesting Sophos in itself is a scam, again I much appreciate your anti-virus, as well as the fact that you are raising malware- and safety awareness, but it could do with a little less sensationalism, imho.
The solution? Run security software.
Sophos's web protection solutions, for instance, can protect you from the malware attack. I do list the different detections we offer for the separate malware components, so I thought it would be clear that our products protect against them.. without me having to be all sleazy and include a link to our product page. 🙂
Regarding the search term – yes, you're right. It's just an example. It could just as easily be a user searching for marmalade recipes or pictures of Sandra Bullock's elbows. If you read the technical paper we go into more detail about that.
[There, I think I've cornered the elbow fetish niche on Google now. Great SEO work, Graham..]
But only for Sandra Bullock’s elbows. You don’t even mention George Clooney’s! And I won’t even think about David Tennants, or I will have to go and lie down…
Malware Bytes seem to shield me from these sorts of attacks. AlthoughI still think I was hacked a few months ago because there was a $350 charge coming out of my bank account to a Chinese e-bay type site!
Mark