Insights and Research

More Software-Related Searches Lead to Malware

More Software-Related Searches Lead to Malware
Spammers have done a very good job a hijacking web searches related to buying software online. More than 90% of search results for "buy Microsoft Windows" and similar searches, lead to fake stores on major search engines. Not much has been done by the search engines to clean up these search results.

Since the beginning of 2011, the number of search results for popular queries leading to fake AV pages and malware has dramatically decreased, especially on Google.

I've wondered when attackers would switch from the poisoning popular search phrases, to more targeted searches. In the past few weeks, I've seen more and more spam redirected to malware, where similar searches would previously have led to a fake online store.

For example, the website contains multiple spam pages around "buy microsoft office" (be careful if you decide to follow the search results). These spam pages are very similar to the spam pages leading to fake stores.
Spam page on
Instead of a fake store, the visitor is redirected to at least three types of malware.

Fake AV

One of the malicious redirections is to It hosts a Fake AV page. Although the page looks visually the same as the Fake AV pages I've seen so far, the source code is very different.

Here is a video of the Fake AV page. I quickly got blocked (see details below in the post), so I had to reconstruct the page on my local machine. On the real website, I would have been prompted to download an executable, which was malware disguised as an antivirus solution.

Naked Emma Watson video

I've described this malicious page in a previous blog post. Basically, the page looks like YouTube, with a purported video of Emma Watson naked. The "Play" button warns users that they don't have the latest version of Flash and tricks users into installing malware.
Fake Flash installation

Top 10 Famous Celebrity Scandals

This is a variation of the naked Emma Watson video. The page shows a picture of a scantily clad Paris Hilton. Again, the goal is to trick users into installing malware disguised as a Flash update.

The page was hosted on and was not blocked by Google Safe Browsing. The malicious executable was detected by only 6 AV out of 43. Zscaler's free Search Engine Security add-on for Firefox, does protect against these types of sites.

IP checks

There are multiple redirections between the spam page on the initial site ( and the final malicious page ( or The referrer and the IP address are checked along the way. Here is a sample of a redirection from a Yahoo! search, to the malicious domain:
  2. (302 redirection)
  3. (302 redirection)
  4. (302 redirection)
  5. (302 redirection)
  6. (302 redirection)
After following a couple of search results, my IP address got blocked and I was redirected to instead of the malicious domain.

It is scary, but predictable, to see attackers switching their targets. I hope the search engines will take the threat of malicious executables more seriously than fake stores and clean up their search results. It will be interesting to see who has the best Blackhat SEO skills: people behind fake stores, or people behind fake AV/Flash pages.

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.