On January 25, 1:25 p.m.,
Munich time, Trend Micro analysts received reports regarding a blackhat
search engine optimization (SEO) attack wherein users using search strings with the words "free printable" came
across sites that redirected them to compromised domains.
This attack is currently ongoing and our researchers are working toward a
more complete understanding of the attack's components and its
implications. Please check this page frequently for updates.
What is a blackhat SEO attack?
Blackhat SEO attacks are illegitimate
means of obtaining high ranking in search engines. Cybercriminals may use this to lure users into clicking links that appear relevant to
users but actually contain malicious or unwanted elements. By using
popular search terms, cybercriminals can increase the likelihood of
users coming across their specially crafted Web pages. In 2009, we have
seen several blackhat SEO attacks that use search terms that have
suddenly become popular, as in the case of news or even seasonal events.
What happens in this attack?
Users using popular search engines to search for terms, including
the words "free printable" may encounter malicious search results.
These search results are actually compromised websites made to host a
results will trigger redirections to certain redirector sites.
Based on our subsequent analysis, these redirector sites
lead to a rogue search engine page. The rogue search engine page itself
is localized based on the users' IP address. The redirector sites,
meanwhile, can be quickly modified by cybercriminals to point to other
malicious portals. In our preliminary analysis, one search result led to
a FAKEAV variant.
What is the end goal of this attack?
Site owners often pay referrers to get more traffic to their
sites. In this attack, cybercriminals make it appear as if their rogue
search engines referred a certain site instead of the search engine
the user actually used. Therefore, site owners pay cybercriminals for
the actually illegitimate referral.
This attack was also seen earlier to lead to the download of
FAKEAV variants, otherwise known as rogue antivirus software. FAKEAV
malware are scareware that plant fake infection signals into a computer
to get a user to key in credit card information to pay for a "full
version" of a fake software.
What risks do users face in this attack?
Apart from unknowingly helping cybercriminals profit from the
affiliate scheme, users also run the risk of encountering other malicious
threats as long as redirectors are under the full control of
cybercriminals. Redirectors can be easily made to point to new sites or
portals that host malware.
How do I protect myself from this attack?
To avoid becoming victims of this attack as it progresses,
users should refrain from using the words "free printable" in their
Furthermore, users should install security software with a good
URL reputation service that can rate and block access to malicious
domains and specific URLs. Trend Micro™ Smart Protection Network™ blocks
access to the malicious domains and URLs found in this attack.
Users should also put in place security software that can block and
detect malicious binaries and scripts. Smart Protection
redirection either as JS_REDIRECT.SMF or JS_REDIRCT.MAC.