Did you follow the Senate race in Massachusetts between Scott Brown and Martha Coakley? Well, so did cybercriminals. They likely had no interest in who won, however. What attracted them was how many of us were performing online searches, looking for information on the race. So, the bad guys raced to answer this need, but it wasn’t with information on who won. It was with traps to infect us with rogue security software.
Symantec—through use of our Norton Safe Web technology—has identified significant search engine poisoning in searches related to the political race. At one point we looked at the results of a search for “Massachusetts senate race results” and found that 33 of the first 100 search results led to malicious sites. Eleven of the first 100 results for the related search “Brown Coakley results” also led to malicious sites. Unfortunately none of this is all that surprising to us. From Michael Jackson’s death, to the tragedy in Haiti, to whatever the next big news story is, the bad guys always seek to take advantage of our interest.
After analysis it appears many of these bad links led to rogue security software—these are misleading applications that pretend to be legitimate security software, quite convincingly so in many instances, but which actually provide little or no protection and can in reality infect a computer with the very malware it purports to protect against. The fact that we’re seeing so many of these bad links lead to rogue security software is also not all that surprising. After all, peddlers of misleading applications can’t sell their snake oil through legitimate marketing so they have to try and sneak in the backdoor—they’ll do whatever they can to fool you. Search engine poisoning, or black hat search engine optimization (SEO) is one of their trademark techniques.
A common black hat SEO tactic involves planting links to rogue security software websites on legitimate websites, such as blogging services, wikis, forums, and social networking sites. This tactic exploits search engine indexing algorithms that determine the relevancy of a website by the number of links that point to it. This process is typically automated by software that can visit these various Internet locations and add content. Because this activity is considered to be a form of spam, many websites implement measures such as CAPTCHA schemes to prevent content from being added automatically. CAPTCHA schemes are used to ensure that human users, and not automated systems, are adding the content. This in turn has resulted in a number of efforts to bypass CAPTCHA that range from exploiting weaknesses in CAPTCHA algorithms to outsourcing the task of manually solving CAPTCHA challenges.
Other black hat SEO tactics include link farming, keyword stuffing, and cloaking. Link farming is an SEO tactic used to increase search rankings by having a large group of websites include reciprocal links to each other; keyword stuffing involves placing long lists of often irrelevant keywords into Web page content; and cloaking involves creating website content specifically for search engine website crawlers and which is different than the content accessible to users, which may cause search engines to index the site based on misleading content and potentially improve search rankings.
Black hat SEO campaigns have also been known to exploit vulnerabilities in websites, such as with cross-site scripting. In one reported example, vulnerabilities in a popular blogging platform were exploited to promote rogue security software. Scam distributors also purchase keywords from search engines in order to boost the ranking of their scam websites and so that the websites will appear as valid, "sponsored" results.
Sometimes the bad guys even go so far as to create malicious or false search engines. Users are tricked into using the illegitimate search engine when they are enticed to search for a special file, usually a topical video or the like. When the user searches with one of these fake search engines the results instead redirect to websites that host malicious code and rogue security software.
The affiliate networks that are so prevalent in rogue security software scams can provide the scam developers with the talent and resources necessary to distribute their software using the tactics discussed above. In turn they may rely on resources in the underground economy to launch spam and black hat SEO campaigns.
Here are some best practices that should be followed to avoid falling victim to search engine poisoning and rogues security software:
· Always keep your legitimate security software up to date and your entire systems patched.
· Raise your level of awareness. Scrutinize all search engine results thoroughly.
· Be cautious of pop-up displays and banner advertisements that mimic legitimate displays or try to promote security products.
· Do not accept or open suspicious error displays from within a Web browser as these are often methods rogue security software scams use to lure you into downloading and installing their fake product.
· Purchase security software only from reputable and trusted sources and only download applications directly from the vendor’s website or legitimate partners.
· Exercise caution when browsing the Web. Since malicious attacks can result in the hijacking of open sessions, make sure to log out of websites when your session is complete.
· Regularly review your credit card and other financial information as this can provide information on any irregular activities.