14 DAY TRIAL // Black search engine optimization (SEO) techniques were found to be employed in a new scareware advertising scheme. The scammers use URL redirects from popular websites belonging to government agencies, universities and schools, media outlets and even Microsoft, in order to increase their own website's ranking within search results.
Redirectors are scripts used by websites to direct users to other destinations. So as to keep track of these destinations the scripts append them to the redirect URL. A general example of such a redirect URL would be the following: http://www.softpedia.com/redir.php?url=http://new_destination. The problem lies in the fact that many websites use the so-called open redirectors, which do not require any validation and allow third parties to also redirect traffic through them.
The first report regarding this new scheme came from Gary Warner, director of research in Computer Forensics at The University of Alabama at Birmingham (UAB). According to Mr. Warner, the spammers created tens of thousands of these redirect links pointing to a newly registered domain name and then used automated scripts to spread them across the web, by inserting them into blog comments, forum posts, guestbook entries, etc.
Another black SEO tactic was then used to manipulate search results for queries about pirated software, adult content, or hacking instructions. This was done by incorporating predefined search terms to the URLs. A real example of such a maliciously crafted link is the following: http://www.microsoft.com/ie/ie40/download/?//00119922.com/in.php?&n=837&t=download+fruityloops+6+free. Profiting from the very high search ranking of microsoft.com, it would appear within the first results when searching for “download fruityloops 6 free.”
“Sites like Microsoft.com, IRS.gov, countless media outlets, magazines, universities, and other websites can be found in the search engines in this way,” Gary Warner says on his blog. When visiting such a link, the users get redirected to the malicious domain, where another redirection is performed, this time silently, and a warning window is displayed. The pop-up alerts them that their computers are infected and offers to perform a security scan. Hitting “Ok” will just play a web animation imitating a real scan, which then pops up yet another window listing the fake infections that were allegedly detected.
This last pop-up features a “Remove all” button that, when pressed, prompts the user to download an install.exe file, the installer for a rogue application named System Security. “As of this writing, we were the first one to report this malware to VirusTotal, where only 5 of 37 antivirus products were able to identify the file as malware,” Mr. Warner writes on December 23.
After installation, the application displays a more professionally-looking interface that again performs a scan and shows results. Trying to fix the false security issues listed by the utility will prompt the user to buy a license that costs $51.45. More annoying alerts imitating Windows security warnings continue to pop up until a license for the fake security program is acquired.
This new scam was launched after the Federal Trade Commission just recently shut down one of the biggest scareware advertising operations in the world that were pushing the likes of WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and XP Antivirus 2008. This could suggest the fact that other spam gangs are trying to benefit from the hole left in the market by their former competitors.
Microsoft has since fixed the issue and closed the open redirector that was being misused. “Clicking one of the Microsoft pages indicated in the Google search above will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page,” Gary Warner points out in the end of his report.