Poisoned search results, spreading scareware, heat up for 4th of July
Posted on | July 2, 2010 | add a comment
Scareware purveyors are ramping up for a big weekend poisoning search results.
Achal Khetarpal, research director at antivirus firm CyberDefender, just typed “4th July dessert recipes” as a Bing query and got this innocuous-looking, but highly invasive, link as the 10th ranked result:
This is step one of a ruse spread by one of the most active scareware gangs out there selling worthless software called Security Master AV. Clicking on the poisoned result instantly launched the fake scan and promotion for Security Master AV:
Black Hat SEO attackers have been intensively poisoning search results on Google and You Tube for the past year or so. Khetarpal’s discovery confirms the basic hacking techniques work well on Bing, too.
“Blackhat SEO attackers are definitely deploying these attacks in Bing, but in smaller numbers,” says Khetarpal.
Save yourself by force-quitting browser
If you see a suspicious virus alert or virus scan, the worst thing you can do is click on anything in the alert or scan, even a “stop scan” or “cancel” button, says Microsoft spokesman Eric Foster.
That’s because clicking on anything the bad guys present to you usually advances the scam. Instead, if you’re using a Windows XP, Windows Vista, or Windows 7 computer hit “ctrl-alt-delete” or type “task manager†into the Windows search box to navigate to your Task Manager.
At this point, the fake scan/alert is running on whatever web browser you are using, says RandyAbrams, Eset’s director of technical education. Locate your browser under the “applications” tab in your Task Manager and then force-quit it by clicking “end task.”
“If the user is running Internet Explorer they need to end Internet Explorer, ” says Abrams. “If they are running Firefox, then end Firefox, Safari, end Safari, if Chrome, then end Chrome.”
At this point, the fake scan/alert is running on whatever web browser you are using, says Randy
Abrams, Eset’s director of technical education. Locate your browser under the “applications” tab in your Task Manager and then force-quit it by clicking “end task.”
Reinstalling Windows operating system
Here’s the rub: If you do happen to click on the fake scan, you will most likely be insistently steered to screens prompting you to pay $30 – $80 for worthless clean up and ongoing protection. At this point, getting rid of the malware now becomes more difficult. You can:
- Still try to force-quite your browser.
- Reboot your PC.
- Try using Microsoft’s free Security Essentials scanning and basic protection tools
- Try running a known-legit virus scan from your antivirus provider.
- Try using a free scan and clean tool such as SpyBot Search & Destroy, Malwarebytes or Vipre PC Rescue.
- Wipe your drive clean and reinstall your Windows operating system.
“Sometimes it is much faster and easier to reinstall the operating system,” says Abrams. “Typically skilled support professionals can fix the issue without requiring a reinstall, but if you go to a major electronics store they may tell you that reinstalling is the only way and that you will lose your data.
“It can take weeks, in some cases, to clean up all of the malware these fake AV products install. They rarely install only one item and often have hidden downloaders to install more.”
Outrageously lucrative
The selling of scareware has evolved into an outrageously lucrative criminal enterprise. Panda Security estimates that scareware generates some $34 million a month in revenue for a cottage industry of criminal gangs and independent specialst. That estimate was affirmed by the bust of one such gang documents by federal regulators to have banked $163 million in sales from 2006-2008.
Blackhat SEO attacks that disperse poisoned search results have become a popular way to spread scareware. Such attacks “are automated and take place every single day,” says PandaLabs researcher Sean-Paul Correll. “It currently is the main delivery method” for scareware.
Kaspersky Lab has also gathered data that “at least some of the bad guys have managed to completely automate this process,” says senior analyst Roel Schouwenberg.
“They run scripts which crawl Google Trends, Twitter trends and potentially other sites to see what are hot topics. This means that basically any ‘breaking story’ will be used for Black SEO,” says Schouwenberg.
Google is the primary target, since it accounts for 65% of U.S. searches, but the techniques hackers use to poison search results work just as well on any search engine, says Andrew Brandt, threat research analyst at antivirus firm Webroot.
“This has been extremely pervasive since the middle of 2009,” says Brandt. “The fact that, nowadays, virtually any search result can contain malicious links is a sign that the Black Hats engaged in this practice have become expert search engine manipulators.”
Recent trending topics for which they’ve spread poisoned search results include the Twilight movie, the Gulf oil spill, World Cup soccer Justin Bieber’s car accident, and Kim Kardashian’s Playboy Video Shoot.
Trust no links
The bad guys are using several sophisticated methods to cause poisoned search results to appear high in results ranking. Eset senior research fellow David Harley describes one, called index hijacking:
Index hijacking tends to involve manipulation of the Google PageRank (PR) algorithm . Google doesn’t discuss the detail of the algorithm, and has frequently modified the overall ranking strategy, which also involves other attributes such as link text, content of a page and its neighbors, and so on. A classic manipulation technique is to create a Rank Sink, a page with lots of good incoming links and few visible outgoing links. This increases what Google calls the importance of a page, since it looks like a page that attracts visitors rather than transient, more or less random link hopping. Each incoming link is a vote for the page that increases its importance.
Search poisoning is just one type of attack in the daily mix of malicious software detected and blocked antivirus vendors. Bottom line: Internet users not wishing to have control of their PC turned over to an attacker must be skeptical of all links — whether in a search result, e-mail messaging spam, Facebook wall posting, Tweeted posting, or just routinely navigating to known, safe web sites that might be hacked and tainted.
In this miasmic environment, poisoned search results ebb and flow, intensifying general threats to Internet users at predictable times. “These attacks are omnipresent, ” says Kaspersky Lab’s Schouwenberg.
Adam McNeil, Webroot threat research analyst, adds: “What we have observed is that Google seems to figure out a way to thwart this malicious SEO for a time, then the bad guys figure out a loophole in Google’s new algorithm.”
By Byron Acohido