PandaLabs : Blackhat SEO

Black(hat) Friday

Sean-Paul Correll — Fri, 20 Nov 2009 21:01:00 GMT

If you plan on shopping online for "Black Friday", or "Cyber Monday", you might be in for more than you bargained for.　 Cyber criminals behind the Rogueware epidemic have their blackhat SEO campaigns optimized to take advantage of deal seekers looking for advertisements online.　 One misstep and you just might find yourself staring at a scareware site designed to trick you into believing that your computer is infected.

Google Search:

Fake Antivirus Page:

We are constantly monitoring this and other Blackhat SEO campaigns to protect our customers against the latest malware attacks on the Internet. If you are not a customer yet, we recommend at least installing our free Cloud Antivirus protection. We also recommend adding an extra layer of browsing protection with safer browsing technology, such as the community driven system provided by our partner, Web Of Trust.

Blackhat SEO Aggressively Targets Halloween Related Keywords

Sean-Paul Correll — Wed, 28 Oct 2009 00:00:00 GMT

Cyber criminals behind the Rogueware epidemic have been hard at work in poisoning search results to increase traffic to their campaign sites. Today, we identified a new Blackhat SEO campaign, which is currently targeting Halloween related keywords aggressively. While studying the campaign, I noticed that the most commonly targeted keywords were classic costume favorites, such as the Cat woman costume, vampire costume, and various adult costumes. In addition to costumes, the BHSEO campaign also targets Halloween related food recipes, haunted house directions, Halloween parties, and the movie Halloween.

Tainted search results:

Fake Antivirus site:

Tag cloud of targeted search terms:

As we have documented in prior blog posts, Blackhat SEO continues to be one of the most prevalent and pervasive attack vectors on the Internet today. As users, we tend to trust search engines to provide safe and accurate search results, but the reality is that today, search engines are becoming the most dangerous way to browse the Internet.

Blackhat SEO Campaign Targets 2009 Nobel Prize Winner

Sean-Paul Correll — Fri, 09 Oct 2009 12:20:00 GMT

We’ve identified a new Blackhat SEO campaign today which targets President Obama as the 2009 Nobel Peace Prize winner among a thousand or so other search terms. Clicking on a malicious search result yields the typical Rogueware campaign.

Search result:

Rogueware site:

The complete list of targeted search terms can be found here.

Blackhat SEO continues to ravage search results

Sean-Paul Correll — Tue, 22 Sep 2009 23:26:00 GMT

Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.

Most targeted search terms:

Dallas Cowboys
NFL
School
Emmy Awards
Autumn Equinox (Mabon)
Atlanta
News

..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt

Sample search result:

Redirection to fake security (Rogueware) site:

Rogueware: Adware/PCDefender

Tag cloud of targeted terms:

Blackhat SEO Attack Targets Obama's Speech

Sean-Paul Correll — Wed, 09 Sep 2009 23:52:00 GMT

Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites. Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that. Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week.

Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:

Malware Info: Adware/SmartVirusEliminator

Investigating the attack shows us a bigger picture of the targeted keywords:

Most commonly targeted keywords:

Obama Speech
GM group enterprises
Apple
Beatles
America
White House
Jon Gosselin
Live Interview
School Season
The full list of targeted keywords can be downloaded here: BlackhatSEO2.txt

Over the past six months that PandaLabs has closely tracked the evolution of Blackhat SEO attacks, we’ve seen these targeted campaigns be executed by cybercriminals with increasing levels of speed and sophistication. Today, Blackhat SEO is truly a mainstream tactic used by cyber criminals. Targeting real-time news events is a serious problem not only for search engines, but for all parties involved in malware mitigation. In shifting to the "real-time web," the entire IT security community must also recognize the need for real-time Malware protection and this is precisely why the move to cloud-based antivirus technology is necessary.

Be Careful With Your Search Results

Sean-Paul Correll — Tue, 01 Sep 2009 17:29:00 GMT

Update: Learn about the latest BHSEO attack here.

Blackhat SEO (BHSEO) is currently one of the most prevalent distribution methods for Malware on the Internet. It’s also one of the most dangerous methods because of the user-implied trust in search results. A Forrester research study conducted in 2008 showed that 50 percent of Internet users trust content delivered by search engines. It’s no surprise that cyber criminals have been using malicious search results as a main monetization stream.

The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links. Upon clicking one of many malicious links in the top ranking search results, the victim is put through several redirections and finally taken to a fake scan website designed to infect and extort money.

Fake scan site:

Installer:

File: setup.exe
Size: 72192
MD5: 2C0625D97A5BC7EC299D33CE8C9A299E

Adware/SmartVirusEliminator

Tag cloud of exploited keywords:

Most exploited keywords:

BBC News 2009
CNN News 2009
Ted Kennedy
Official Website
USA News
Hottest Info/News
CA/California Fire
Lottery
Hurricane
Halloween
The full list can be downloaded here: BlackhatSEO.txt

You can read more about Rogueware in our most recent report: The Business of Rogueware [pdf]

Are Cyber Criminals Targeting Local Events In Your City?

Sean-Paul Correll — Thu, 27 Aug 2009 21:36:00 GMT

Panda Security has a California based office in Los Angeles. We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it. To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources.

Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc

Once clicked, the site loads and checks to make sure the user came from Google. If so, the following script begins the redirection to the Rogueware site:

The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected. If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer. At that point it becomes very aggressive and difficult to remove.

File: Antivirus-x_x.exe
Size: 172032
MD5: 0E9BC3499560EEA9261F5883FAE2A10E
Malware Info: Adware/PersonalAntivirus.

Rogueware attacks are among the most prevalent attacks on the Internet today. You can see our latest report on them here: The Business of Rogueware (pdf)

5 Steps to Avoid Infection:

Always have up-to-date Anti-Malware software installed. If you don’t have one or if your current solution is not removing the Malware, you could download a free trial from us here: http://www.pandasecurity.com/usa/homeusers/downloads/evaluation/

Don’t rely on search engines to provide valid or safe search results. You can improve your chances of safe browsing by downloading our free Web of Trust browser plugin: http://www.pandasecurity.com/homeusers/downloads/wot/

Pay close attention to what links you are clicking on. If you don’t recognize the source you may want to research the domain in a separate search or avoid the link all together.

Rogueware attacks rely on Social Engineering (I.e. making you believe you are infected when you are not). Don’t believe it! Simply close the browser window if you see a scan appear all of the sudden. If you cannot close the window with your mouse you can try ALT+F4 to force close it.

Don’t be afraid to ask for help. Call your Antivirus Company or a tech savvy friend if you feel that you are in over your head.

Cyber Criminals Target Air France, YouTube, E3, Microsoft, Project Natal, and more…

Sean-Paul Correll — Wed, 03 Jun 2009 11:53:00 GMT

It seems like these days every other news breaking story is paralleled with a similar Blackhat SEO fueled Rogueware campaign. Today, Luis Corrons and I were talking about Microsoft’s recently announced Project Natal when his Google search for a video of the technology in action turned out to place a malicious link in the very top of the search results.

Connection: (Google to Rogue)

**UPDATE** 6/04/09 -

16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file.

Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:

Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”

The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.

Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories.

All of the links associated in this attack have already been blocked for Panda users.

Rogueware Campaigns blending in with Twitter Trends

Sean-Paul Correll — Wed, 03 Jun 2009 08:23:00 GMT

Update: 6/4/09 - Rogueware campaign on Twitter continues...

"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.

I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.

Connections/Redirects leaving Twitter:

Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting to target social networking sites more than ever. In this case they took advantage of the open dialog on Twitter and essentially blended in with the trending topics in order to effectively trick unsuspecting users into clicking malicious links. This technique is strikingly similar to the Blackhat SEO tricks criminals use on search engines to place their malicious links at the top of search results.