When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is looking for the string “okps.php” in the URL. If you see that string anywhere in the URL, avoid it like the plague. Your computer and sanity will thank you for that. The interesting thing, according to the search, is that there are over a thousand results on this compromised site containing this malicious PHP page. Yes, that’s right, the gang behind the attack has kept up a sustained SEO campaign targeting popular search terms and hosted it on this compromised site for some time.
If any of these links are clicked, you will be sent through a chain of redirections, ending up on any of the following domains:
- Ciljaho.cn
- Esiafog.cn
- Eviyqdu.cn
- Evoutma.cn
- Koljiyd.cn
- exeywra.cn
- exiusom.cn
Many of these domains are now unreachable or offline, but the ones that are live were going to an IP of 93.174.95.192, hosted in the Netherlands. The server is set up to deliver the usual mix of pop-up window warnings, which lead to a fake online antivirus scan that "finds" a whole host of fake problems with your computer. (Notice that the computer that I’m using is running Ubuntu Linux, yet the warnings and scan screens are still made to look like it is running on Windows XP.)
The name of the executable being offered to you will be named Install[RANDOM NUMBER].exe, where RANDOM NUMBER is a number used in the URL parameter value of UID. The file in question, dubbed Internet Antivirus Pro, is already detected by Symantec as
Trojan.FakeAV. In addition to the standard fake scan screens and pop-up windows, the site also has a pretty serious-looking “nag” window too.
So there you have it. Check search engine results carefully before you click on them, and remember not to click on links with “okps.php” in the URL.