Mexican earthquake searches leading to Rogue anti-Virusby Steve Ragan - Apr 5 2010, 22:30
Mexican earthquake searches leading to Rogue anti-Virus. IMG: @elbetOe/ Twitter
Less than two hours after news started to spread that a 7.2 magnitude earthquake struck the Mexican peninsula of Baja California, killing one person and causing scattered property damage, criminals started poisoning search results with links to Rogue anti-Virus applications and other Malware.
We’ve covered SEO poisoning before, including the SEO attacks on Butler University [Link] and the NCAA Final Four [Link], where criminals were spreading Malware as well as Rogue anti-Virus applications by means of poisoned search results leading to the installation programs.
In one of the poisoned searches, where the keywords are “Earthquake Mexico April 4 2010”, 50-percent of the first ten results lead to Rogue anti-Virus. Each link leads to one of two sites, either supersafe40p or supersafe26p, which reside on the xorg.pl domain.
As was the case with the NCAA and Butler related SEO attacks, each malicious domain in the first ten results uses a PHP script to trigger redirection. This script can be quickly spotted thanks to its random five character name, often visible in the link on the result’s page.
However, as seen below, using “Earthquake Mexicali Today” as the keywords, not all malicious sites fall into this pattern. The site in the image shows no clear script usage unlike the others, but stands out because the domain is toy related, not news related as one would expect.
Once clicked, the domain redirects to another XORG domain, supersafe27p.
As with any dynamic URL service, the criminals know the domains will not last long, so they will change them up after a short run and pick new ones. In the event a domain lasts, but the linked server is taken offline, services like XORG offer DNS redirection, making recovery simple in the criminal’s eyes.
These types of SEO attacks are worth good money for the criminals running them, in each of the malicious links above, an affiliate link is used, and for every instance of installation, they will be paid.
On the upside, the links seen in the images above are being flagged by Google’s Safe Browsing within Firefox and Chrome. However, as you see below, Internet Explorer users can still be snagged in the SEO attacks.
The best bet of protection is the same advice given previously. Stick to news sources that are legit and established, when searching for a recent event or major news item. Make sure that you are using an updated browser and security software. Ensure that you are patching all installed software as soon as possible, which will guard against attacks targeting them. A perfect example of this is patching Adobe software.
Lastly, while some browsers will warn you about a potential problem with a URL, others will not. The first noticeable sign of a problem is when your browser itself seems to close. When this happens, the browser is replaced with a warning that more often than not tells you that your system is infected.
If you see this, don’t panic; instead press ALT and the F4 key together at the same time. Sometimes, this will close the browser out completely, other times it will simply close the warning, prompting a “scanner” to start, which displays a running list of infections on your system.
If you see this screen, first avoid any downloads by canceling them as they appear, and press ALT and F4 together until the browser is completely closed. From there, you will need to restart the browser, but make sure that if it is offered, the session recovery is declined.
Just to be on the safe side, scan your system with your security software. In addition, we find it helpful to keep additional security tools, such as Malwarebytes AntiMalware installed and updated, so that we can use them to scan our systems after our security software has ran.