Cyber-criminals are manipulating search engine results to distribute malware, in particular, fake antivirus products. The reasons are simple: the criminals need to attract users to malicious sites in order to infect them, what’s new however, is the way they are drawing users to these Web pages.
In the past, users were lured to compromised websites by means of massive sending of spam. Targeted users read emails, clicked on the links they included and were unwittingly directed to a malicious Web page. Now however, due to the fact that users are more wary of messages received from unknown senders, criminals are using more effective ways of ensnaring new victims. They are using a Google tool called Google Trends which, among other things, lists the most popular searches of the day (anything from Obama’s inaugural address to the Oscar nominations).
Once they know the top searches and hot topics of the day, they create a blog full of the most searched for words (e.g. Obama, Penelope Cruz, etc.) and videos supposedly related to these topics. This way, they increase the blog’s ranking to place it among users’ first search results.
Fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.
This type of attack is benefiting from advanced SEO (Search Engine Optimization) techniques. These are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a website and improving its ranking in search engine (Google primarily) results list.
This is the case of the Web page selling the Malwaredoctor fake antivirus, designed specifically to achieve a high ranking in search engines.
In addition to standard SEO techniques, attackers are also using techniques known as “Black Hat SEO”, which could be described as illegal search engine positioning techniques used to by-pass search engine policies, present alternative contents or affect the user’s experience. Occasionally, it can be difficult to determine which techniques are legitimate or not, as this can depend on the search engine.
Attackers are always keen to make malicious site identification for anti-malware vendors harder. In order to do this they are starting to use a more advanced way of launching these attacks. Some of the malicious pages they handle behave differently and show different contents depending on the origin of the user that visits them.
In order to hide the attack a script is inserted that determines the origin of the visitor. If a user types the URL they want to visit in the browser bar, the legitimate, correct content is displayed. However, if the user has come from a manipulated Google search, they will be taken to the malicious Web page.
MSAntispyware 2009: A different example
PandaLabs recently detected a Web page that appeared to establish a new model. While generally, pages selling fake antiviruses either do not contain specific tags or those they contain are designed to improve indexing in search engines, the page from which MSAntispyware 2009 was distributed represented a significant change. Here, all the tags and processes were designed to prevent the page from being indexed in search engines.
The reason for this was to make it more difficult for malware analysts and security companies to prevent infections by techniques such as blocking URLs through search engine queries with specific parameters.