Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

March Madness-related SEO Poisoning Leads To Rogue AV

Date:03.16.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ has received reports that searching for March Madness-related terms in Google's search engine returns results that lead to rogue antivirus software. March Madness is the term given to an elimination tournament held each spring featuring college basketball teams in the United States.

With only a few days left before the tournament starts, if a user searches for popular March Madness-related terms in Google, malicious URLs as high as the first result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs.

If a user clicks through these links (such as hxxp://[removed].de/news/nit_bracket_2009.html) they are redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe.

The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link.

Ask.com is also confirmed to be affected in this way. Other search engines may be affected in a similar manner.

Screenshot showing affected Google results:

Screenshot of Web site hosting rogue AV:


Websense® Messaging and Websense Web Security customers are protected against this attack.