Latest BHSEO Attacks Use Fake YouTube Pages and Flash Player Updates

Security researchers from Trend Micro warn of an increase in black hat search engine optimization campaigns that use fake YouTube pages and Flash Player updates to trick users into installing malware on their computers. Poisoned search results were detected for queries mentioning Teresa Guidice, Holly Davidson, the BP oil spill, or the Mel Gibson tapes.

Black hat search engine optimization (BHSEO) campaigns are currently one of the most common methods of distributing malware on the Internet. The technique involves artificially inflating the PageRank of malicious websites, in order to push them on the first pages of search results for keywords related to current events.

Celebrity gossip is an unlimited source of subjects for these campaigns. Regardless if its a leaked tape depicting a star in intimate postures, an untimely death, or someone's money problems, cyber criminals will be there to take advantage of people's interest into it.

“In the recent attack that we saw, query results for strings such as videos of reality TV celebrity Teresa Guidice, British actress Holly Davidson, and the BP oil spill were found to initially lead to YouTube-like pages before displaying the all-too-familiar fake malware infection warnings,” TrendMicro researchers report.

The fake malware infections are part of scareware distribution efforts, which attempt to trick users into installing a rogue antivirus product and then paying an unnecessary license fee to deal with inexistent threats. The victims of such scam don't only throwing away their money, but also compromise their credit card details in the process, thus exposing themselves to identity theft.

Different BHSEO campaigns that leverage the latest Mel Gibson scandal, involving audio tapes of him threatening his former girlfriend, employ a Flash Player update trick to infect users with malware. The Trend Micro threat analysts point out that the fake page is very believable and the attackers even went to the trouble of using a domain name similar to Adobe's. The file distributed in this attack is detected by Trend as WORM_UTOTI.Y.

“With the continuing rampancy of blackhat SEO attacks, users are advised to be extremely cautious when conducting searches,” Norman Ingal, threat response engineer, at Trend writes. Running a capable and up-to-date antivirus program on the computer is also a must.

You can follow the editor on Twitter @lconstantin