14 DAY TRIAL // Security researchers from antivirus vendor Webroot warn that scareware pushers have poisoned the search results for "USA map" on Google Images. The attack uses a different landing page and social engineering trick for each of the major browsers.
Black hat search engine optimization (BHSEO) campaigns on Google Images are not as common as those targeting Google Web Search, but they aren't a particularly new concept. Back in July we reported that Google Images search results for Raoul Moat, the subject of a UK police manhunt at the time, were poisoned.
Security researchers from Webroot, a company developing various anti-malware products, have recently intercepted a new Google Images BHSEO campaign which involved search results for "USA map" leading to rogue pages. "All but the first image result that appeared on that first page of results linked to the malicious Web site," Andrew Brandt, a threat researcher with the company, notes.
However, the most interesting aspect of this attack is its browser awareness. First, the redirect script was performing a check to determine the visitor's browser. Then, depending on the result, the victim was being taken to a landing page crafted specifically for their browser type.
For example, Internet Explorer users were directed to a page displaying an antivirus scan animation and prompting fake security alerts about fictitious infections. This had the purpose of tricking them into downloading a scareware application, which posed as an anti-malware program.
Mozilla Firefox users were instead taken to a forged "whatsnew" page. This is the page displayed after a successful Firefox update and we've seen several malware distribution efforts using fake copies of it to trick users recently. In this case, the page served a scareware installer with a different MD5 hash every time it was refreshed, which is also a bit unusual.
Finally, both Safari and Google Chrome users landed on pages using a required Flash Player update lure. The two pages were slightly different in appearance, but they both displayed an ActiveX-like warning, which is ironic, since none of these browsers support ActiveX.
This type of payload diversification is unusual for BHSEO scareware distribution campaigns, since such attacks take a hit-and-run-like approach. As expected, the malicious domain serving all the rogue pages was down in a matter of hours, but the incident still serves as a good example of how many forms these scams can take.
You can follow the editor on Twitter @lconstantin