14 DAY TRIAL // Security researchers warn that malware distributors are profiting from people's interest in the Easter holiday and, apparently, the Ford Motors Company, in order to push malware. Search engine results for keywords related to the two were poisoned with pages that pushed rogue security programs.
Promoting malicious websites by littering their pages with certain keywords so that they appear higher in search results is an increasingly popular practice. These techniques bear the name of blackhat search engine optimization (SEO) and are usually combined with other tools, such as Google trends, which are used by cybercrooks to get an accurate insight into what people are most actively looking for on the web during a certain period of time.
"Easter, like any other holiday, will not pass without cybercriminals attempting to exploit the occasion for their own malicious operations," Jake Soriano, technical communications specialist at Trend Micro, warns.
According to an investigation by Paul Ferguson, advanced threats researcher at Trend, known Russian and Ukrainian cybercriminal organizations are behind most of the Easter-related blackhat SEO campaigns. While this holiday has already begun for Catholics and most western Christians, it has yet to start for the Eastern Christianity, including those in the countries mentioned above.
The malicious websites scoring high in search results contain JavaScript code, which redirects users to other locations where a rogue anti-virus program, detected by Trend as TROJ_FAKEAV.BAF, is being downloaded.
Meanwhile, security researchers from Panda Security warn of a similar campaign targeting people looking for the Ford Motor Company. The analysts have been able to identify a staggering one million such malicious links.
"This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand," Sean-Paul Correll, one of Panda's specialists in threat surveillance and emerging threats, notes.
The rogue pages used in this attack ask users to download and install an alleged video codec called softwarefortubeview.40030.exe, which is, in fact, MS AntiSpyware 2009, a well-known scareware-type application. Another file being served to unsuspecting users is called AntiVirusInstaller.exe and is being detected by Panda products as Adware/Anti-Virus-1.
We recently reported that malware distributors had employed similar tactics during the pre- and post-April 1st hype surrounding the Conficker worm, or the February Gmail downtime.