X-Labs
November 10, 2010

Veteran's Day spurs Poisoned Search

Forcepoint

Today is Veteran's Day and like any other holidays, black hat SEO and spam emails have been visible since Monday this week.  Websense customers are protected against this attack through our Advanced Classification Engine.

Search terms like veteran's dayveteran's day 2010veteran's day eventsveteran's day california and veteran's day honolulu return poisoned web results.     



  
Earlier this week, the code found on the infected site is reminiscent of last week's Midterm Elections attack.  In fact, the websites used in the the Midterm elections black hat SEO are also the ones used for Veteran's day black hat SEO.  At the time, the redirection was not working although the URL specified is an active rogue AV site.  As you can see below, the election term is replaced by veteran's day related search terms.

Today, the poisoned results' redirection pages are up and running.  If the user is using Firefox, they will be redirected to a fake Firefox update page, prompting them to download a file called firefox-update.exe, detected by 13/40 VT engines.  For Internet Explorer, the ever so familiar Rogue AV page is where users are redirected.  The only thing noticeable is that the rogue AV installer is not available for download, clicking on the "Remove all" button only prompts a warning box. 

 

The fact remains that there is more than one way to find something in the web.  And so the malware pushers also decided to use poisoned image results too.  Unlike the poisoned web search results, poisoned image results have been active since Monday.   The payload is also browser-based today although it was serving up rogue AV regardless of the browser last Monday.  



Finally, spammers also want their share of the pie as well, so when you look at the results under videos, a slew of adult content is returned.  Of course this is in addition to the spam emails spammers have been distributing since last week.


To conclude, we have seen how business minded malware pushers are.  One code used in two different events.  As always, be cautious on clicking search results.  It's not every time that the "This site may harm your computer." warning is there to save the day, especially in video and image search results.  Moreover, keep in mind that malware pushers are diversifying their portfolio by including poisoned image search results more and more.  

 

UPDATE 

We are also seeing the same attack on search terms related in today's UK Remembrance Day.  Do be cautious in searching for holocaust remembrance day 2010 and remembrance day 2010.

Forcepoint

Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.