Written by: Bernadette Caraig

Background of the Attack

On January 25, 1:25 p.m., Munich time, Trend Micro analysts received reports regarding a blackhat search engine optimization (SEO) attack wherein users using search strings with the words "f
ree printable" came across sites that redirected them to compromised domains.

This attack is currently ongoing and our researchers are working toward a more complete understanding of the attack's components and its implications. Please check this page frequently for updates.


What is a blackhat SEO attack?

Blackhat SEO attacks are illegitimate means of obtaining high ranking in search engines. Cybercriminals may use this to lure users into clicking links that appear relevant to users but actually contain malicious or unwanted elements. By using popular search terms, cybercriminals can increase the likelihood of users coming across their specially crafted Web pages. In 2009, we have seen several blackhat SEO attacks that use search terms that have suddenly become popular, as in the case of news or even seasonal events.


What happens in this attack?


Users using popular search engines to search for terms, including the words "free printable" may encounter malicious search results. These search results are actually compromised websites made to host a malicious JavaScript redirector. Users who click the malicious search results will trigger redirections to certain redirector sites.

Based on our subsequent analysis, these redirector sites lead to a rogue search engine page. The rogue search engine page itself is localized based on the users' IP address. The redirector sites, meanwhile, can be quickly modified by cybercriminals to point to other malicious portals. In our preliminary analysis, one search result led to a FAKEAV variant.

What is the end goal of this attack?


Site owners often pay referrers to get more traffic to their sites. In this attack, cybercriminals make it appear as if their rogue search engines referred a certain site instead of the search engine the user actually used. Therefore, site owners pay cybercriminals for the actually illegitimate referral.


This attack was also seen earlier to lead to the download of FAKEAV variants, otherwise known as rogue antivirus software. FAKEAV malware are scareware that plant fake infection signals into a computer to get a user to key in credit card information to pay for a "full version" of a fake software.


What risks do users face in this attack?


Apart from unknowingly helping cybercriminals profit from the affiliate scheme, users also run the risk of encountering other malicious threats as long as redirectors are under the full control of cybercriminals. Redirectors can be easily made to point to new sites or portals that host malware.


How do I protect myself from this attack?


  • To avoid becoming victims of this attack as it progresses, users should refrain from using the words "free printable" in their searches.
  • Furthermore, users should install security software with a good URL reputation service that can rate and block access to malicious domains and specific URLs. Trend Micro Smart Protection Network blocks access to the malicious domains and URLs found in this attack.
  • Users should also put in place security software that can block and detect malicious binaries and scripts. Smart Protection Network detects the malicious JavaScripts that perform the initial redirection either as JS_REDIRECT.SMF or JS_REDIRCT.MAC.