Here in Indianapolis, the big news this weekend was the 63-56 win for Butler University over Kansas State, earning Butler a hometown appearance in the NCAA Final Four. At the same time, fans of both the Butler Bulldogs and the NCAA as a whole were quickly targeted by criminals pushing Rogue anti-Virus software.
Update: There have been new developments since this story was published. They can be viewed here.
Rogue anti-Virus applications are becoming more common online as criminals use affiliate programs to make money off their installations, and one of the top methods to do this is to hijack keywords and poison search results. The best earners can make hundreds of thousands of dollars spreading the software.
The reason they make such good money is the scare tactics they use to trick people into installing the false security software. Once installed, the criminals get paid. The fake security software uses popup warnings, alerting you to an infection and other “critical” problems that in reality do no exist on your system. These warnings are often tailored to look like normal system menus and screens, adding to the appearance of legitimacy.
Shortly after Butler became the first team since UCLA in 1972 to make a NCAA Final Four appearance in their hometown, The Tech Herald noticed spikes in Google Trends for search terms related to the NCAA and Butler University.
The trends are not surprising, as Butler’s story will be one of the many that fuels NCAA legend for years to come. Sadly, the rapid move by criminals to poison Butler and NCAA related search results isn’t all that surprising either, but stunning considering how quickly the poisoned results appeared so high in the search listings, and something to take note of.
While searching for Final Four, Butler Final Four, and Final Four 2010, we found several sites using our own keywords as well as those related to Butler’s game on Saturday, redirecting visitors to a domain serving Rogue anti-Virus applications. The domains used in the Black Hat SEO operation were sprinkled in within the first two pages of Google’s search results.
We’ve listed some observations and screenshots of the Rogue anti-Virus itself below, but the thing to do to avoid this problem is to stick to known news sources, and be cautious when searching for NCAA or Butler related information online.
Most Rogue anti-Virus applications require that you download the software. So when you see these ads and fake warnings appear, close your browser and avoid downloading or installing anything that is offered. Sadly, while having solid security software on your system helps stop other Malware, they rarely stop Rogue anti-Virus applications.
When looking at search results, we noticed a pattern for most of the malicious sites, thanks in part to a PHP script. The script uses redirection, and pulls keywords from your search in to the URL of the site. This is just one part of the method used to poison search results by the criminals, but it is effective.
The images below show some of the sites we discovered that were malicious. In the images, you can see that each site has a PHP script in use that is randomly named with five letters. Avoiding sites that show this clear pattern will greatly increase the odds that you do not accidently come across URLs forcing you to download fake anti-Virus software.
The domain used in the search poisoning operation changes by a double digit number to the base of rowinscanpcNN-xorg-pl [address broken to prevent linking], where NN is the placeholder for the random number.
Other observations showed us that the same page is serving three different warning screens. One of them looks like the typical theme for Windows XP, while the other two reported and mimicked the use of Windows Vista.
In fact, while we used Firefox to view the Rogue anti-Virus pages, they were static in reporting that we were using Internet Explorer 7. For the record, the version of Windows in use at the time was XP SP3.
Again, the best way to avoid Rogue anti-Virus attacks coming from malicious search results is to stick to known news sources, and avoid sites that look suspicious. While sites will have some of the keywords you are looking for, the ones that seem to have them all, and use them repeatedly, should be viewed with caution.