May 7, 2010

BlackHat SEO Abuse Of UK General Election

Carl Leonard Principal Security Analyst

Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms relating to the UK General Election are delivering rogue antivirus to end users through the use of BlackHat SEO.

The British General Election polls closed yesterday, and news of the results is gradually making its way into traditional press and online media.  The topical nature of the event is being abused by malware authors to direct users to rogue (fake) antivirus applications, the payloads of which are hosted on a Polish Web hosting provider, a trend that we have seen recently.

Screenshot of Google search result:

Typical search terms that will return malicious links include:

  • uk election news
  • uk election
  • british election 2010
  • british election results
  • uk general election 2010

The user is directed to a Web site delivering rogue antivirus:

VirusTotal result of the payload file (SHA1: 15e1cdebe76aafb97409c4354cf8724542208f8c) shows only a 25% detection rate by AV vendors.

Websense Messaging and Websense Web Security customers are protected against this attack.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.