Rogue AV rides the US Midterm Elections wave

On the eve of the 2010 US Midterm Elections, Websense Security Labs™ ThreatSeeker™ Network has discovered that some search terms related to the ongoing event return sites employing black hat SEO.  Websense customers are protected against this attack through our Advanced Classification Engine. 

As you can see, some of the infected sites already come with a warning.  However, there are still a handful of Web sites that do not have warning messages attached to them.  Search terms used in this attack include:

2010 midterm election
midterm election results
midterm election 2010
midterm election latest polls
midterm election 2010
midterm election season
midterm election latest polls gallup

At the time of writing, the black hat SEO'd sites appear benign, only redirecting users to what appears to be a blank page.  A closer look at the code reveals that the page contains a URL to a rogue AV site.

If you copy and paste this URL in your browser, it will redirect you to the rogue AV download page which prompts the user to download inst.exe, identified by 10 of 43 VirusTotal engines. 

If you put the pieces together, the black hat SEO'd sites + blank redirect page + blank redirect page containing a URL leading to rogue AV sites, we can now conclude that the bad guys are actively prepping these Web sites for deployment tomorrow when the actual elections happen.  As always, be extra-cautious when clicking links, particularly those related to hot and trending topics and events.