With only a couple of days to go before the start of the World Cup in South Africa, the people behind the black hat search engine poisoning attacks have been very busy trying to up their game. The goal, as ever, is to get their bogus software out to as many victims as possible, and the excitement around the World Cup presents a golden opportunity.
We have become aware of many World Cup 2010-related search terms that are currently being used to direct users to the familiar FakeAV scanner pages.
The scanner pages are the usual suspects that have been designed to look like the user interfaces of Windows XP, Vista and Windows 7. We have seen them time and time again—after the fake scan is over, they offer the user a file named packupdate[RANDOM NUMBER]_195.exe to resolve the problems and malware that were allegedly present.
Symantec customers are protected by our IPS protection (HTTP FakeAV Redirect Request), which will block the fake scanner page so that users will not even get to the point where they are presented with the fake page. The files offered for download are variants of VirusDoctor.
Over recent months we have noticed that search engines such as Google are doing a good job at flagging and filtering out poisoned search terms from their search results. This has resulted in a marked drop in successful SEO attacks through their search engine, but many are still getting through. Their battle with the fake antivirus creators on the search engine side has many parallels with our own task of keeping malware at bay. In many ways search engines are just another front in this ongoing war and battles will be won and lost along the way as each side makes their advances. One thing that can we can be sure of is as long as there is money to be made in the fake antivirus game, there will be those who will try and pushing them through using whatever means possible.
In the mean time, be careful when you search for official World Cup 2010 information. Why not go directly to FIFA? And also be sure to check out our 2010 Net Threat website for the latest information on World Cup-related threats.