CO.TV Free Domain Provider Abused in Google News BHSEO Campaign

Security researchers from cloud security provider Zscaler have come across a Google News black hat SEO campaign which uses numerous co.tv rogue domains.

The targeted keywords are related to actor Laurence Fishburne's departure from the popular CSI TV series. Most people remember Fishburne as Morpheus from The Matrix.

The news generated quite a buzz online earlier this week and was apparently popular enough for cyber crooks to try and exploit.

While search results poisoning has been a common method of infecting users for the past couple of years now, the attacks have slowly moved away from the traditional web search and towards complementary services like image search or news search.

This switch has also been influenced by the fact that Google has gotten better at preventing the rogue links from appearing at the top of its search results. However, the company hasn't paid the same attention to the other types of searches it offers.

Black hat SEO attacks involve the creation of keyword-riddled pages on compromised domains and leveraging their Google rank to push the links at the top of the results for particular topics.

The pages are created so that Google's crawlers see the content, but when real visitors visit them, they get redirected to malware distribution sites.

In this case, the fake Fishburne news links take visitors through a series of redirects that involve many co.tv domains, until they land on a page exploiting Java vulnerabilities.

CO.TV is a free domain provider that is obviously being abused by the people behind this campaign. All of the rogue domains used are hosted on the same IP address.

"The exploit code downloads multiple malicious JAR files on the system after exploitation. The VirusTotal results remains very poor for one of the malicious JAR files, with only 2 out of 43 Antivirus triggering on it," Zscaler senior researcher Umesh Wanve notes.

Like most BHEO campaigns, this attack only directs requests that come through Google News to the malicious pages. Zscaler provides a Firefox extension called Search Engine Security which allows users to hide their referrer headers.