I've been monitoring Blackhat spam SEO
for more than a year now. I frequently have to modify the scripts used to retrieve the fake AV pages in order to deal with obfuscation
and other obstacles
the perpetrators have put in place.
Once again, by trying too hard to hide the malicious code
, Fake AV pages are actually easier to detect by looking at the redirections rather the malicious code itself.
Strict HTTP Referer
It usually only requires a few minutes of work to bypass the "protection
s" put in place by Fake AV pages. The fake AV authors have no doubt realized that their modifications were not very effective, and that Zscaler and others are still finding their malicious content.
A few days after Mike found IP tables settings
shared online to block major security vendors, our main IP address was blacklisted. I quickly changed to a different IP address in the same sub-net, but only 3 days later, our complete sub-net was blacklisted. I have recently switched to Tor to get random IP address. This has allowed me to keep tracking new Fake AV pages.