Background of the attack: On January 25, 1:25 PM, Munich time, Trend Micro analysts received reports regarding a blackhat SEO attack where users who searched with the words "free printable" came across results to sites that redirect to compromised domains.
This attack is currently ongoing and our researchers are working toward a more complete understanding of the attack's components and its implications. Please check this page frequently for updates.
What is a blackhat SEO attack?
Blackhat SEO (search engine optimization) attacks are illegitimate means of obtaining a high rank in search engines. This may be used by cybercriminals to lure users into clicking links that appear relevant to users but actually contain malicious or unwanted elements. By using popular search terms, cybercriminals can increase the likelihood of users coming across their specially crafted Web pages. In 2009, we have seen several blackhat hat SEO attacks that use search terms that have suddenly become popular, as in the case of news or even seasonal events.
What happens in this attack?
Based on our subsequent analysis, these redirector sites lead to a rogue search engine page. The rogue search engine page itself is localized based on the users’ IP address. The redirector sites, meanwhile, can be quickly modified by cybercriminals to point to other malicious portals. In our preliminary analysis, one search result led to a FAKEAV variant.
What is the end goal of this attack?
Site owners often pay referrers to get more traffic to their site. In this attack, cybercriminals make it appear as if their rogue search engine referred a certain site, instead of the search engine actually used by the user. Therefore, site owners pay cybercriminals for the actually illegitimate referral.
This attack was also seen earlier to lead to the download of FAKEAV variants, otherwise known as rogue antivirus software. FAKEAV malware are scareware that plant fake infection signals in a computer to get a user to key in credit card information to pay for a "full version" of a fake software.
What are the risks users face in this attack?
Apart from unknowingly helping cybercriminals profit from the affiliate scheme, users run the risk of encountering other malicious threats as long as the redirectors are under the full control of cybercriminals. Redirectors can be easily made to point to new sites or portals hosting malware.
How do I protect myself from this attack?
- To avoid becoming victims of this attack as it is progressing, users should refrain from using the words "free printable" in their searches.
- Furthermore, users should install security software with a good URL reputation service that can rate and block access to malicious domains and specific URLs. Trend Micro Smart Protection Network blocks access to the malicious domains and URLs found in this attack.