I want to share with you some of the findings that Asier Martinez and I made yesterday while investigating the BHSEO attack on the Icelandic Volcano and all the flight mess in Europe. As I explained yesterday, when you click one of the malicious links from the search result, you’ll get to the rogueware site. But what is your browser really doing? Well, this is the script that your browser executes:
As you can see, first it checks whether you are running Mac. If that’s your case, you will be redirected to a movie site, of course there’s a referral in the link, so they can get some extra cash. Otherwise it will check whether you are running Firefox, Chrome or other browser. This can be used to serve a different exploit depending on the victim’s system, even though in this case all the redirections will take you to the fake av site shown in yesterday’s blog post. So if you are running Windows or Linux you will get the fake av, but in Mac you could buy some movies…
Why are this pages in the top results? Well, search engines use different methods to decide which are the top positions, and criminals try to abuse these systems. The next question that will come to your minds is: ok, so Google, Yahoo & Microsoft are so stupid that they cannot realize that a web page is serving a fake av? Well, they can, and as soon as they realize they’ll try to block or mark that page as malicious. Anyway, they don’t see the problem on a first moment, and there is a good reason for that: criminals know, for example, when Google bot is accessing their page. In that case, they will show a web site that does not serve rogueware or any other malware.
In fact, if you type the malicious URL in your browser, you don’t get to the fake av site. This is not big news, the criminals are usually doing that, as they know that users will use Google and click on any of the given results. And what kind of websites are the search engines indexing? Well, you can take a look at the following screenshots I took yesterday:
How are these web sites being created? They are created automatically using information obtained from the very same search engines 
[...] this article: Macs won’t be affected by Icelandic volcano ashes Posted in Security News Tags: asier-martinez, bing, browser, fake, icelandic, linux, malicious, [...]