Internet criminals are using Search Engine Optimization tactics to promote links to free hosted blog sites in an attempt to dupe unsuspecting visitors into infecting themselves with malware and fake anti-virus products, say experts from Marshal's TRACE threat team.
Criminals are using tools such as Google Trends to identify the most popular and current Internet search terms. The same criminals then use new blogs on free hosting sites, such as Windows Live Spaces and AOL Journals, featuring the same search terms. When an Internet user then makes a search using those popular terms they get multiple links to these hosted blog sites in their search results.
If the user then clicks on the link, thinking it is relevant to their desired search, they are taken to a blog site with an apparent embedded video player. If the user clicks on the video player, they are prompted to load a 'codec', which surreptitiously loads malware, including fake anti-virus software that promises to clean non existent viruses from the computer in return for their credit card details.
"A recent example of an exploited search term was 'OJ Simpson Verdict'," said Phil Hay, lead threat analyst for Marshal's TRACE Team. "The criminals identify this as a 'hot' search term and then ensure their Windows Live Spaces blog contains 'OJ Simpson Verdict'. This promotes the blog up the order in Google search results and increases the chances that users will hit those web pages."
"Using search engine optimization to promote web pages hosting malware shows increasing levels of sophistication and professionalism on the part of the criminals," said Hay. "The use of fake video players to disguise the installation of fake anti-virus programs is not new. This kind of activity has been going on for many months now, but previously the links have been promoted via spam. This new approach shows a diversification of tactics."
According to Marshal, the malicious executables downloaded by clicking on the fake video player are not reliably detected as malware by established antivirus programs, further adding to the seriousness of the criminal's activity.
"Fake anti-virus programs are especially prevalent right now," said Hay. "Once installed, the program pops up and tells you it has found viruses on your computer and offers to clean these if you are willing to pay via credit card. The viruses the program reports are fake, the program itself is fake and the so called legitimate company you deal with is fake. The whole thing is a con designed to part you from your money. It is fairly sophisticated and convincing."
"Now the criminals are trying new methods of promoting their malicious web pages that aren't dependant on spam. Our advice is to not blindly trust results from Google searches, and be wary of these kinds of links to hosted blog sites. Also, if you are unfortunate enough to be infected by one of these fake anti-virus products, do not provide any credit card information or payment of any kind. Use a legitimate and reputable anti-virus solution from a name brand vendor," said Hay.
Marshal's TRACE Team blog - http://marshal.com/trace/traceitem.asp?article=783
About the Marshal TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at http://www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.
About Marshal
Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. |
