In 2011, Blackhat SEO links were pretty much absent from the most popular searches in Google. Instead, Blackhat SEO was used to target more specific searches. The technique heavily used to poison the searches for buying software online with hundreds of fake online stores.
Blackhat SEO
Things are starting to change in 2012. I ran some numbers on Google searches for the month of March 2012 and found:
- 117 malicious domains, including 66 serving Fake AV pages and 35 fake online store domains
- 1,142 spam/malicious links in Google searches, including 299 links leading to a Fake AV page
The number of new domains hosting fake online stores is slowly decreasing, I found only 6 new domains in March, but the number of Fake AV sites has increased significantly.
While Google search results leading to Fake AV pages used to be caused primarily by hijacked sites that were redirecting the entire site to a malicious domain, the current increase is due mostly to the targeted use of Blackhat SEO for popular searches, as it was in 2010. The big difference with current results compared to those in 2010 is that Google is doing a much better job at flagging these malicious links: 294 of the 299 search results leading to a Fake AV page were flagged by Google.
The spammers are still able to get their spam pages on hijacked sites to appear on the first result page for popular searches such as "puerile in a sentence" and "edhelper password".
Figure 1: Malicious link in first result page
The technique used is still the same. Websites are hijacked and new pages are added. Each new page is targeting a popular search term trending in Google Hot Trends. Pages from different hijacked sites are linked together to increase their rank.
As I mentioned in an earlier post, the Fake AV pages still look the same, but surprisingly, use new source code with no obfuscation in most cases.
Fake AV instead of Fake store
The second trend I see is the increase in Fake AV links in searches related to software sales, like "Buy Windows 7". This is something I noted last year. The increase in search results leading to malware (Fake AV pages and others) where you would usually find fake stores is alarming because Google has not yet cleaned up these results. None of the spam links sending users to fake stores are flagged by Google.
