This past month, I've seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases:
The hijacked website redirects users coming from a Google search to an external domain.
The fake AV page is delivered.
I demonstrated last year that the Blackhat SEO attacks had migrated from the most popular searches to more specific searches like buying software online where up to 90% of the links returned are malicious. It comes as no surprise that about 95% of the hijacked sites were found for searches like "purchase microsoft word", "achat windows" ("buy Windows" in French), "precio office 2007" (Italian), etc.
There were 12 hijacked sites being used, with 3 domains representing 90% of the hijacked sites redirecting to a fake AV page:
www.ukresistance.co.uk (blocked by Google Safe Browsing)
The domain used to redirect users from the hijacked sites to the fake AV pages are all .ru sites, with the same URL path:
Fake AV page
Fake AV page
Attackers are getting lazy! The fake AV page looks the same as it did two years ago and the source code of the page has barely changed. Fake AV pages used to change every 2-3 weeks when they were found all over the most popular searches, now they are remaining stagnant for six months. Here is the video that shows the Fake AV page in action: