“Google Sponsored Links” Sponsor Misleading Websites Blacklisted By Google
Attackers often use search engines to deliver malware. Earlier we reported that Yahoo-sponsored search results were used to promote misleading applications. Also, attackers reportedly abused Google advertisement services in order to push out misleading applications.
Instead of using techniques like search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers have recently been using Google’s sponsored links. In this situation the attackers’ advertisements would have been displayed on all websites that use Google’s sponsored links. For example, when a user searches for Adobe Flash player 9, Google-sponsored links might display one particular download link as flashplayer.9-downloadcenter.com. (Please do not visit this link). This link silently redirects to a site that is hosting exploits for Snapshot, RealPlayer, and other application vulnerabilities. The user will be redirected to a page that attempts to mislead users to pay for the advertised software, which, in fact, can be downloaded for free from the vendor’s (Adobe) website.
Similar attacks reported earlier only misled users by charging for free products. However, it seems that attackers are now using drive-by downloads to push malware on to users’ machines. The following are some screenshots of the Google-sponsored links from different websites. The misleading advertisement is circled.
Interestingly, flashplayer.9-downloadcenter.com is already blacklisted and blocked by Google SafeBrowse. Here is the snapshot of the Google SafeBrowse Diagnostics page:
Some of the keywords that can lead users to this misleading website are listed below:
Flash player 9
Adobe Flash Player 9
Adobe Flash 9
Download Flash player 9
Flash player install
Users should be aware that results for keywords returned by search engines can be manipulated. As always, we encourage users to download applications directly from the vendor's website or legitimate partners only. Symantec customers are protected from this attack with the latest IPS and antivirus.