Criminals are using tools such as Google Trends to identify the most popular and current Internet search terms. The same criminals then use new blogs on free hosting sites, such as Windows Live Spaces and AOL Journals, featuring the same search terms. When an Internet user then makes a search using those popular terms they get multiple links to these hosted blog sites in their search results. If the user then clicks on the link, thinking it is relevant to their desired search, they are taken to a blog site with an apparent embedded video player. If the user clicks on the video player, they are prompted to load a 'codec', which surreptitiously loads malware, including fake anti-virus software that promises to clean non existent viruses from the computer in return for their credit card details.
"A recent example of an exploited search term was 'OJ Simpson Verdict'," said Phil Hay, lead threat analyst for Marshal's TRACE Team. "The criminals identify this as a 'hot' search term and then ensure their Windows Live Spaces blog contains 'OJ Simpson Verdict'. This promotes the blog up the order in Google search results and increases the chances that users will hit those web pages."
"Using search engine optimization to promote web pages hosting malware shows increasing levels of sophistication and professionalism on the part of the criminals," said Hay. "The use of fake video players to disguise the installation of fake anti-virus programs is not new. This kind of activity has been going on for many months now, but previously the links have been promoted via spam. This new approach shows a diversification of tactics."
According to Marshal, the malicious executables downloaded by clicking on the fake video player are not reliably detected as malware by established antivirus programs, further adding to the seriousness of the criminal's activity.
"Fake anti-virus programs are especially prevalent right now," said Hay. "Once installed, the program pops up and tells you it has found viruses on your computer and offers to clean these if you are willing to pay via credit card. The viruses the program reports are fake, the program itself is fake and the so called legitimate company you deal with is fake. The whole thing is a con designed to part you from your money. It is fairly sophisticated and convincing."
"Now the criminals are trying new methods of promoting their malicious web pages that aren't dependant on spam. Our advice is to not blindly trust results from Google searches, and be wary of these kinds of links to hosted blog sites. Also, if you are unfortunate enough to be infected by one of these fake anti-virus products, do not provide any credit card information or payment of any kind. Use a legitimate and reputable anti-virus solution from a name brand vendor," said Hay.
Fayette Front Page
Georgia Front Page