Searching for UK Fugitive's Photo Can Lead to Malware

Security researchers warn of an ongoing black hat search engine optimization (BHSEO) campaign targeting people searching for photos of Raoul Moat, a man who is currently hunted by British police. The attack affects results in Google Images, which have been poisoned to direct users to malware pushing websites.

UK authorities are in alert since July 3 when a man named Raoul Moat went on a gun rampage and shot his ex-girlfriend, her new boyfriend and a police officer. The man, who used to work as nightclub bouncer, has been successful in escaping capture so far and has taunted police over the phone and regular mail.

The so far 5-day long manhunt has kept the UK public focused on the news for new details. Since the case has already captured International attention a lot of people outside the United Kingdom rely on the Internet to keep themselves updated about the whole situation, a circumstance which malware pushers are trying to exploit.

Christopher Boyd, a malware researcher at antivirus vendor Sunbelt, warns that searching for "Raoul Moat" on Google Images will generate malicious results. "At time of writing, ALL of the image searches from the top line of Google Image Search will redirect you to serveradobe(dot)co(dot)cc [a malicious site]," Mr. Boyd writes on the company's blog.

The site displays a fake ActiveX prompt which reads 'You need to install media components. ActiveX: "Adobe Flash Player" from "Adobe Systems Incorporated".' There is also an alert window instructing users to click on a button to download a "new version of Adobe Flash Player 11 to take advantage of web 2.0."

Clicking on the button is clearly not a good idea, as it triggers the download for a malicious file called v11_adobe_flash.exe, which is only detected by 11 out of the 41 antivirus engines on VirusTotal. "We’re still examining the file, but a fake antivirus or similar shenanigans look likely," the Sunbelt researcher says.

You can follow the editor on Twitter @lconstantin