Experts have discovered that cybercriminals are relying on blackhat SEO poisoning to trick users into accessing websites that rely on the BlackHole Exploit Kit 2.0 to serve malware.
AegisLab researchers have found that Google searches for “djia finance” bring up a website that hosts a malicious PHP file (www.hv20.com/payroll/djia-finance.php).
A script on this page attempts to download a malware-containing PDF file that’s currently detected by only 3 of the 44 antivirus engines on VirusTotal.
After analyzing the download site, experts have determined that it actually hosts the BlackHole Exploit Kit 2.0.
The most worrying fact is that Google is not warning users about this particular search result and, at the time of writing, it still showed up on the second page.
Hopefully, antivirus companies will rush to add the signature of this particular malware to their databases. Until then, users are advised to be careful what sites they visit.