Internet activity around the 2010 World Cup is at an all time high and if football’s premier tournament continues to deliver sensational stories like France’s acrimonious first round exit, the trend will continue. Unfortunately, this surge of activity has led to a concurrent rise in cybercrime and what researchers call “search engine optimisation (SEO) poisoning attacks”.
According to Symantec’s Hon Lau, the criminals compromise web servers hosted by well-known hosting providers and infect them with malware that generates poisoned links by associating the domains of known compromised web hosts with search terms from Google Trends.
“The criminals are able to push their results up higher in the Google results page by leveraging the fact that Google ranks search results of domains that are more ‘interconnected’ higher. Once you click their poisoned search results you are re-directed to a Fake AV (antivirus) site (see screenshot below).
“The goal, as ever, is to get their bogus software out to as many victims as possible, and the excitement around the World Cup presents a golden opportunity.”
Fake web pages are often designed to look like the user interfaces of Windows XP, Vista and Windows 7. After the users run the fake scan, they are offered a file named packupdate[RANDOM NUMBER]_195.exe to eliminate the problems and malware that were allegedly present.
Says Lau: “Symantec customers are protected by our IPS protection that blocks the fake scanner page. The files offered for download are variants of VirusDoctor.”
Good news is that over recent months, the researchers have noticed that search engines such as Google are doing a good job at flagging and filtering out poisoned search terms from their search results.
“This has resulted in a marked drop in successful SEO attacks through this popular search engine, but many are still getting through. Fans are warned to be careful when searching for official World Cup 2010 information and advised to stick to legitimate news sites,” says Lau.