Global IT security vendor Panda Security says cyber criminals are manipulating search engine results to distribute malware, in particular, fake anti-virus products.
“Criminals need to attract users to malicious sites in order to infect them and they use very inventive ways to draw users to these Web pages,” says Jeremy Matthews, head of Panda's sub-Saharan operations.
In the past, notes the company, users were lured to compromised Web sites by means of massive sending of spam and people then clicking on links that takes them to malicious Web pages, but now they are using Google Trends - http://www.google.com/trends - which, among other things, lists the most popular searches of the day.
Panda explains that once they know the top searches and hot topics of the day, they create a blog full of the most searched for words and videos supposedly related to these topics, as a way of increasing the blog's ranking as a top search result.
“Users who trust these results will end up on a Web page where they will be asked to download a codec or plug-in, etc. in order to watch the video. If they do so, they will be downloading malware - in most cases a fake anti-virus,” says Matthews.
Fake anti-viruses, notes Matthews, try to pass themselves off as real anti-virus products to convince targeted users they have been infected by malicious codes. He says that victims are then prompted to buy the rogue anti-virus to remove these bogus infections.
This type of attack is benefiting from advanced SEO (Search Engine Optimisation) techniques, which Panda says are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a Web site and improving its ranking in search engine results lists.
In addition to standard SEO techniques, adds Matthews, attackers are also using techniques known as "Black Hat SEO", which could be described as illegal search engine positioning techniques used to bypass search engine policies, present alternative content or affect the user's experience.
Panda also says that attackers always try and make malicious site identification for anti-malware vendors harder and hence use more advanced ways of launching these attacks with some of their malicious pages behaving differently and showing different content depending on the origin of the user that visits them.
In order to hide the attack, a script is inserted that determines the origin of the visitor, says Matthews. If a user types the URL they want to visit in the browser bar, he continues, the legitimate, correct content is displayed, but if the user has come from a manipulated Google search, they will be taken to the malicious Web page.
Share