Fake AV has become a regular fixture of the threat landscape for quite some time now, and TrendLabs experts take a closer look at the different tactics employed on the so-called doorway pages to lead the victims to download the fake AV variants.
These pages are usually cross linked both with legitimate sites and other doorway pages, and they often contain miscellaneous content that has been copied from other websites. Both these facts make them pop-up among the top results for diverse search queries – usually trending or hot topics.
A typical doorway page URL looks like this:
Just look at the search results featured here and here an you’ll know what they mean.
They used to be hosted mostly on individual websites, but lately legitimate compromised websites have risen in numbers.
To increase the likelihood of users falling for the scam, the criminals use a handful of techniques that “morph” the pages according to where the visitors comes from (geo-targeting), which browser or OS they use (user-agent filtering) or via which search engine they come through (referer page-checking).
These are all things that today’s Internet users should be aware of but – most of all – they should be extremely careful when following search results links. That is the first step into this malicious spiral and until the companies behind the most popular search engines manage to find ways of eliminating this threat, we will have to keep abreast of the improved criminal tactics in order to block them.