From the Field: Expert Insights
“Several dozens of websites carry this malicious JavaScript which leads users to rogue search engines. The main goal? Hijacking search queries to gain profit from referral fees.”

- Trend Micro Senior Threat Researcher Ryan Flores, on the main modus operandi of the attacks leading to rogue search engines

Threat Encyclopedia
Searches for Printable Items Lead to Malicious Domains

Background of the attack: On January 25, 1:25 PM, Munich time, Trend Micro analysts received reports regarding a blackhat SEO attack where users who searched with the words "free printable" came across results to sites that redirect to compromised domains.

This attack is currently ongoing and our researchers are working toward a more complete understanding of the attack's components and its implications. Please check this page frequently for updates.

FAQs

What is a blackhat SEO attack?

Blackhat SEO (search engine optimization) attacks are illegitimate means of obtaining a high rank in search engines. This may be used by cybercriminals to lure users into clicking links that appear relevant to users but actually contain malicious or unwanted elements. By using popular search terms, cybercriminals can increase the likelihood of users coming across their specially crafted Web pages. In 2009, we have seen several blackhat hat SEO attacks that use search terms that have suddenly become popular, as in the case of news or even seasonal events.

 

What happens in this attack?

Users using popular search engines to search for terms including the words “free printable” may encounter malicious search results. These search results are actually compromised websites made to host a malicious JavaScript redirector. Users who click on the malicious search results will trigger a redirection to certain redirector sites.

Based on our subsequent analysis, these redirector sites lead to a rogue search engine page. The rogue search engine page itself is localized based on the users’ IP address. The redirector sites, meanwhile, can be quickly modified by cybercriminals to point to other malicious portals. In our preliminary analysis, one search result led to a FAKEAV variant.

 

What is the end goal of this attack?

Site owners often pay referrers to get more traffic to their site. In this attack, cybercriminals make it appear as if their rogue search engine referred a certain site, instead of the search engine actually used by the user. Therefore, site owners pay cybercriminals for the actually illegitimate referral.


This attack was also seen earlier to lead to the download of FAKEAV variants, otherwise known as rogue antivirus software. FAKEAV malware are scareware that plant fake infection signals in a computer to get a user to key in credit card information to pay for a "full version" of a fake software.

What are the risks users face in this attack?

Apart from unknowingly helping cybercriminals profit from the affiliate scheme, users run the risk of encountering other malicious threats as long as the redirectors are under the full control of cybercriminals. Redirectors can be easily made to point to new sites or portals hosting malware.

 

How do I protect myself from this attack?

  • To avoid becoming victims of this attack as it is progressing, users should refrain from using the words "free printable" in their searches.
  • Furthermore, users should install security software with a good URL reputation service that can rate and block access to malicious domains and specific URLs. Trend Micro Smart Protection Network blocks access to the malicious domains and URLs found in this attack.
  • Users should also have in place security software that can block and detect malicious binaries and scripts. Trend Micro Smart Protection Network detects the malicious JavaScripts that perform the initial redirection either as JS_REDIRECT.SMF or JS_REDIRCT.MAC.

Detection Name Damage Potential Pattern File
JS_REDIRECT.SMF Medium 06.804.03
JS_REDIRCT.MAC Medium
URL Blocking Date
{BLOCKED}search-pc.com
26 Jan 2010
{BLOCKED}needit.cn
26 Jan 2010
{BLOCKED}isthefish.cn
26 Jan 2010
{BLOCKED}ble-images.com
26 Jan 2010
{BLOCKED}-be.cn
26 Jan 2010
{BLOCKED}-e.cn
26 Jan 2010
{BLOCKED}he.com
26 Jan 2010
{BLOCKED}yourpcnow.com
26 Jan 2010