Spammers have done a very good job a hijacking web searches related to buying software online. More than 90% of search results for "buy Microsoft Windows" and similar searches, lead to fake stores
on major search engines. Not much has been done by the search engines to clean up these search results.
Since the beginning of 2011, the number of search results for popular queries leading to fake AV pages and malware has dramatically decreased
, especially on Google.
I've wondered when attackers would switch from the poisoning popular search phrases, to more targeted searches. In the past few weeks, I've seen more and more spam redirected to malware, where similar searches would previously have led to a fake online store.
For example, the website www.saloncti.com
contains multiple spam pages around "buy microsoft office" (be careful if you decide to follow the search results). These spam pages are very similar to the spam pages leading to fake stores.
|Spam page on http://www.saloncti.com/?p=1523
Instead of a fake store, the visitor is redirected to at least three types of malware.
One of the malicious redirections is to 188.8.131.52
. It hosts a Fake AV page. Although the page looks visually the same as the Fake AV pages I've seen so far, the source code is very different.
Here is a video of the Fake AV page. I quickly got blacklisted (see details below in the post), so I had to reconstruct the page on my local machine. On the real website, I would have been prompted to download an executable, which was malware disguised as an antivirus solution.
Naked Emma Watson video
I've described this malicious page in a previous blog post
. Basically, the page looks like YouTube, with a purported video of Emma Waston naked. The "Play" button warns users that they don't have the latest version of Flash and tricks users into installing malware.
|Fake Flash installation
Top 10 Famous Celebrity Scandals
This is a variation of the naked Emma Watson video. The page shows a picture of a scantily clad Paris Hilton. Again, the goal is to trick users into installing malware disguised as a Flash update.
The page was hosted on firstuzsoft.rr.nu and was
not blocked by Google Safe Browsing. The malicious executable was detected by only 6 AV out of 43
. Zscaler's free Search Engine Security add-on for Firefox, does protect against these types of sites.
There are multiple redirections between the spam page on the initial site (www.saloncti.com
) and the final malicious page (184.108.40.206
). The referrer and the IP address are checked along the way. Here is a sample of a redirection from a Yahoo! search, to the malicious domain:
- http://www.saloncti.com/?p=1870 (302 redirection)
- http://220.127.116.11/tra1/change.php?sid=8 (302 redirection)
- http://18.104.22.168/tra1/got.php?sid=8 (302 redirection)
- http://www.communitysupportottawa.ca/cutenews/ip.php (302 redirection)
- http://www.skibec.ca/castor-kanik/cutenews/ss/2.php (302 redirection)
After following a couple of search results, my IP address got blacklisted and I was redirected to ask.com
instead of the malicious domain.
It is scary, but predictable, to see attackers switching their targets. I hope the search engines will take the threat of malicious executables more seriously than fake stores and clean up their search results. It will be interesting to see who has the best Blackhat SEO skills: people behind fake stores, or people behind fake AV/Flash pages.