Malware authors are using black hat search engine optimisation (SEO) techniques to spread rogue anti-virus programs, specifically focused on the top Web search results related to the 2010 World Cup.
So says Jeremy Matthews, head of Panda Security's sub-Saharan operations. He adds that users looking for information regarding the World Cup should only access reliable Web sites and be careful when clicking on links returned by search engines.
Kevin Hogan, senior director of development at Symantec, explains that black hat SEO usually relies on the ability to compromise Web servers hosted by providers GoDaddy, Rackspace or Network Solutions.
He highlights that malware authors infect unsecured Web servers with PHP-based malware that generates poisoned links by associating the domains of known compromised Web hosts with popular search terms.
“The group is able to push their search results up higher in the Google results page by leveraging the fact that Google ranks search results of domains that are more interconnected on a higher scale.”
Hogan says black hat SEO techniques are mostly targeted at Google, with very little attention being turned to Bing or Yahoo search results, although he warns the other search engines aren't immune.
“The good news is, we've seen Google respond more quickly to remove poisoned results when they discover them, which has led to fewer poisoned results over time.”
Not just 2010
Hogan states that the only reason the World Cup is associated with black hat SEO right now is due to the fact that more people search for World Cup related topics.
Nicolas Brulez, senior malware researcher in the global research and analysis team at Kaspersky Lab, agrees, adding that malware authors aren't specifically attacking the World Cup, but rather focus on search engine trends.
“The whole process is automatic,” says Brulez. “Malware authors use applications like Google trends to automatically view popular search topics.” He says these cyber criminals don't really target specific events, but rather want their compromised Web sites to be available on the most common searches from every day.
Understanding the threat
“Black hat SEO tactics are not a new phenomenon, and security researchers have been tracking it as a major vector for fake anti-virus infections,” says Hogan.
“Black hat SEO tactics have been known to push fake anti-virus programs, but there hasn't been a trend that sees them push any other kind of malware,” says Brulez. “While it probably happens, the real threats are related to black hat SEO as a means to distribute fake anti-virus programs.”
Brulez warns that drive-by downloads can be used to install fake anti-virus software, but usually the machine is first compromised using the drive-by download to install malware. “This malware may then install a fake anti-virus program.”
He warns this can be a two-way process: “The fake anti-virus software can also be used to install other types of malware on the compromised machine.”
Frequency debate
Brulez warns that because the attacks are largely automatic in nature, the campaigns change every day. “As soon as the keywords change, the black hat SEO campaign changes too.” He admits this type of attack has been less effective recently, but warns it is still present.
“We have not seen a decrease in fake anti-virus infections in the wild, which indicates the groups responsible for this activity have identified other means to achieve the same results,” adds Hogan.
“The research indicates that the criminals have gone further underground and are more reliant on the outright exploitation of browser vulnerabilities from domains they have compromised to surreptitiously install fake anti-virus,” Hogan concludes.
Share