14 DAY TRIAL // Security researchers from antivirus vendor Panda Security warn of a new black hat search engine optimization (BHSEO) campaign that targets users interested in finding information related to Mexican actress Fernanda Romero. The poisoned search results lead to websites pushing fake antivirus programs.
Back in April Fernanda Romero and her husband Kent Ross were arrested by agents from the U.S. Immigration and Customs Enforcement and charged with marriage fraud. The authorities claim that the Romero paid Ross, a pizza delivery man, to marry her in order to obtain U.S. legal citizenship status. The actress entered a not guilty plea and faced trial earlier this month.
Celebrity gossip always attracts a lot of attention, especially on the Internet and cyber crooks know that very well. According to Panda researchers, users should be very careful when searching for keywords like “fernanda romero actress”, “fernanda romero 2010”, “fernanda romero imdb”, “fernanda romero arrested” or “fernanda romero drag me to hell,” as many of the results lead to malicious websites.
Many of the poisoned results point to websites hosted on .co.cc domains, from where users are redirected to other pages mimicking YouTube or displaying fake antivirus scans. In both cases, scareware installers called packupdate###_###.exe (where # are random digits), are served for download.
The term of scareware refers to malicious applications which use scare advertising tactics to trick users into paying license fees. The most common type of such programs are those masquerading as security applications and displaying bogus alerts about fictitious threats found on their victim's computer.
Many of these websites have not yet been tagged as malicious by Google's Safe Browsing service and the files have a very low antivirus detection rate. We uploaded one sample on VirusTotal and it was only picked up by 2 of the 40 antivirus products available.
Users should always exercise caution when using search engines to find information, as BHSEO campaigns are one of the most common methods of distributing malware on the Web. People encountering malware alerts while surfing websites should immediately close their browser and perform a scan with a well known and up to date antivirus program.
You can follow the editor on Twitter @lconstantin