One of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.
So he did what any of us would probably do. He Googled it.
215 euro to usd
Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:
It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.
What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.
The good news is that Sophos can offer a layered defence against this attack.
The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.
The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.
Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.
We see online criminals poisoning search engine results using blackhat SEO techniques a lot.
Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.
It’s a great read. Check it out now.