Hacked Websites Used to Create Counterfeit Software Stores

Security researchers have observed new attacks using compromised websites to create rogue online stores that sell counterfeit software and are promoted in Google.

Compromised websites are a common component in many attacks, but are generally used as doorways to drive-by downloads, scareware pages or spam sites.

Users landing on an infected page are normally taken through a series of redirects that perform various checks, until they arrive at the final attack page.

In case of black hat search engine optimization (BHSEO) campaigns, legit compromised websites are used to poison the results for popular search keywords or topics.

When the search engine crawlers arrive at such webites, they are served with content pertaining to the targeted search keywords and will index them accordingly.

However, when users find the links on Google and click on them, they are automatically taken to a external page under the attackers' control.

"[...] There is a new development in this area. Instead of placing just doorway pages on compromised sites, hackers now create whole online stores there," Denis Sinegubko, the creator of the Unmask Parasites Web scanner, warns.

Keyword stuffing techniques are used to push pages at the top of search results for certain software product names. The pages check if visitors comes from search engines and load an iframe that occupies the whole visible part of the page.

Websites looking like online stores for discounted software are generated on the fly and are loaded inside the rogue frames. The original content of the page is still there, but it can only be viewed by scrolling all the way down to the end of the page.

The iframe is not loaded for people who come from searches that include the "site:" operator in the query or who access the link directly. However, the implementation fails to hide the rogue content, even when the iframe is not present.

Webmasters are advised to check their websites for possible compromises and security holes, because attacks like this one can ruin their search engine ranking and their reputation with users.