The Tech Herald

NCAA and Butler targeted by criminals after winning weekend

by Steve Ragan - Mar 29 2010, 07:20

NCAA and Butler targeted by criminals after winning weekend. (IMG:Butler.edu)

Here in Indianapolis, the big news this weekend was the 63-56 win for Butler University over Kansas State, earning Butler a hometown appearance in the NCAA Final Four. At the same time, fans of both the Butler Bulldogs and the NCAA as a whole were quickly targeted by criminals pushing Rogue anti-Virus software.

Update: There have been new developments since this story was published. They can be viewed here.

Rogue anti-Virus applications are becoming more common online as criminals use affiliate programs to make money off their installations, and one of the top methods to do this is to hijack keywords and poison search results. The best earners can make hundreds of thousands of dollars spreading the software.

The reason they make such good money is the scare tactics they use to trick people into installing the false security software. Once installed, the criminals get paid. The fake security software uses popup warnings, alerting you to an infection and other “critical” problems that in reality do no exist on your system. These warnings are often tailored to look like normal system menus and screens, adding to the appearance of legitimacy.

Shortly after Butler became the first team since UCLA in 1972 to make a NCAA Final Four appearance in their hometown, The Tech Herald noticed spikes in Google Trends for search terms related to the NCAA and Butler University.

The trends are not surprising, as Butler’s story will be one of the many that fuels NCAA legend for years to come. Sadly, the rapid move by criminals to poison Butler and NCAA related search results isn’t all that surprising either, but stunning considering how quickly the poisoned results appeared so high in the search listings, and something to take note of.

While searching for Final Four, Butler Final Four, and Final Four 2010, we found several sites using our own keywords as well as those related to Butler’s game on Saturday, redirecting visitors to a domain serving Rogue anti-Virus applications. The domains used in the Black Hat SEO operation were sprinkled in within the first two pages of Google’s search results.

We’ve listed some observations and screenshots of the Rogue anti-Virus itself below, but the thing to do to avoid this problem is to stick to known news sources, and be cautious when searching for NCAA or Butler related information online.

Most Rogue anti-Virus applications require that you download the software. So when you see these ads and fake warnings appear, close your browser and avoid downloading or installing anything that is offered. Sadly, while having solid security software on your system helps stop other Malware, they rarely stop Rogue anti-Virus applications.

When looking at search results, we noticed a pattern for most of the malicious sites, thanks in part to a PHP script. The script uses redirection, and pulls keywords from your search in to the URL of the site. This is just one part of the method used to poison search results by the criminals, but it is effective.

The images below show some of the sites we discovered that were malicious. In the images, you can see that each site has a PHP script in use that is randomly named with five letters. Avoiding sites that show this clear pattern will greatly increase the odds that you do not accidently come across URLs forcing you to download fake anti-Virus software.




The domain used in the search poisoning operation changes by a double digit number to the base of rowinscanpcNN-xorg-pl [address broken to prevent linking], where NN is the placeholder for the random number.

Other observations showed us that the same page is serving three different warning screens. One of them looks like the typical theme for Windows XP, while the other two reported and mimicked the use of Windows Vista.

In fact, while we used Firefox to view the Rogue anti-Virus pages, they were static in reporting that we were using Internet Explorer 7. For the record, the version of Windows in use at the time was XP SP3.

Again, the best way to avoid Rogue anti-Virus attacks coming from malicious search results is to stick to known news sources, and avoid sites that look suspicious. While sites will have some of the keywords you are looking for, the ones that seem to have them all, and use them repeatedly, should be viewed with caution.





Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

How to wash a car: The perfect formula

Tests have shown there is a perfect formula for how to wash a car — and boffins have even put it into a mathematical equation. The formula is below, but first a team of car experts found the top five tips for how to wash a car are as follows: 1) Always try to wash [...]

The post How to wash a car: The perfect formula appeared first on Autosaur.

Fastest Car in The World: The ultimate guide

EVERYONE wants to know what the fastest car in the world is and here is a list of the cream of the crop. It gives you a thorough guide as to the main contenders, talks you through the rest of the world’s fastest automobiles, and reveals the two main future potential holders of the most [...]

The post Fastest Car in The World: The ultimate guide appeared first on Autosaur.

World’s first flat-pack truck the OX could help Africa

A flat-pack truck which can be put together by anyone in just half a day has been invented to help people living in remote places in Africa and other parts of the developing world. The OX is shipped in pieces but can be assembled with just three people in 11.5hours — and they need no [...]

The post World’s first flat-pack truck the OX could help Africa appeared first on Autosaur.