Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

Blackhat SEO turns to PDF with Chile and Hawaii disasters

Date:02.28.2010

Threat Type: Malicious Web Site / Malicious Code

Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products.

Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file.



As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India.

By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link.

This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products.

The Rogue AV file itself is currently detected by 26.20% of the antivirus engines used by VirusTotal.

Websense® Messaging and Websense Web Security customers are protected against this attack.