Scareware infestation hits Google search results & YouTube comments

May 26th, 2009


scareware_sysdefscan_crop1Scareware pitches, like this one, are surging. Those obnoxious promotions that try to entice you to spend $39 to $59 for worthless antivirus cleanup and protection are being spread online as intensely as ever.

And here’s the latest: you really can’t trust Google search query results, nor the comments posted alongside YouTube videos. Why? Because scareware purveyors are increasingly corrupting Google search results pages and YouTube video comments with their sales pitches.

PandaLabs recently discovered 30,000 videos on YouTube contain comments designed to lure people into clicking to a URL that will push promotions for fake PrivacyCenter antivirus protection. Threat-researcher Sean-Paul Correll told LastWatchdog he believes the bad guys simply created about a dozen new YouTube accounts, then plugged those account names into a simple script routine.

Booby-trapped Flash downloads

Luis Corrons

Luis Corrons

Thus these particular purveyors found yet another way to automate the spreading of scareware, using the tactic where they lure you into downloading a Flash player update to view a video, ala the Koobface worm.

Instead of a Flash player update, you’ve actually downloaded an obnoxious program that will run fake scans, purport to find a long list of viruses, and bombard you with pitches badgering to buy a fake cleanup tool.

“The technique of using malicious comments on YouTube is not new,” says explains Luis Corrons, technical director of PandaLabs. “What is alarming, however, is the quantity of links we have detected pointing to the same Web page. This suggests that cyber-criminals are using automation tools to publish these comments.”

Meanwhile, virus hunters at Finjan recently infiltrated a crime group that has been systematically corrupting Google search query results so that links to fake antivirus pitches turn up on search results pages. The technique is ingenious in concept and takes several steps to execute.

Leveraging SEO to spread fake AV

First the bad guys create webpages carrying terms they think you’ll be searching for, such as “Obama” or “American Idol.” The badguys webpage also contains a link to a scareware promotion.

Next the criminals search the Internet for popular web sites that do not lock-down security when it comes to handling JavaScript, – the coding that activates many cool Web features, such as changing the color of a button when someone mouses over it.

Web sites that do not lock down JavaScript are susceptible to cross-site scripting attacks. An attacker who knows what he’s doing can manipulate the vulnerable page to his heart’s content. These particular criminals happen to be using a cross-site scripting attack to do one simple thing: embed a tiny, nearly invisible copy of their web page onto the legit web page.

They then sit back and rely on Google’s powerful “search engine optimization” (SEO) technology to do the rest. SEO technology automates the process by which search engines measure relevance — and thus cause certain URLs to show up in the Top 10 search query results.

Piggy-backing on search relevance

Ben-Itzhak

Ben-Itzhak

By embedding their invisible webpage on a popular, legit site, the bad guys’ effectively imbue their page with the same relevance as the legit  site. So when anyone searches for the terms and phrases  typed on the bad guys’ page, that URL  turns up high among Google’s search results, increasing the odds that someone will click on the bad link.

Early examples of this first sort of SEO hack started turning up in the spring of 2008 when Wired, CNet, TV.com, USATODAY.com, ZDNet Asia, History.com and many universities got hit. I wrote about that in this April 1, 2008 news story.  Many big name website publishers  have since done a good job of addressing their cross site vulnerabilities.

However, Finjan says a group using an SEO hack recently corrupted nearly 500,000 legit web sites operated by various parties all around the world. On the list of compromised sites were healthcare, universities, online shopping, religion and even music sites,  says CTO Yuval Ben-Izthak.

Corrupted search results on Google, Yahoo and MSN search engines redirected 1.8 million unique users to a promotion for scareware called “Antivirus XP 2008″ and “XP antivirus 2008,” says Ben-Itzhak.

Scareware affiliates getting more creative

Kamluk

Kamluk

Scareware really has been around en force since since the mid-2000s. I wrote about the iframeCASH.biz gang, based in St. Petersburg, Russia, spread fake AV subscriptions, called “SpySheriff,” in Zero Day Threat. This was in 2005. Click here to see that chapter excerpt.

There’s no doubt about it, scareware promotions are more widespread than ever. You can also get them by clicking on a tainted website. Or if you click a booby-trapped weblink in an email or Facebook message. Increasingly, you see them in banner pop-up ads showing up intermittently on big-name media websites.

This is all made possible because of an elaborate, efficiently-run cottage industry of scareware distributors who offer rich incentives for anyone willing to promote and sell scareware, much as the iframeCASH.biz gang did very profitable back in 2005. This has given rise to a small army of freelance “affiliates,” who have stepped forward and are getting very creative about spreading scareware promotions.

“Affiliates are actually inventing new ways to reach the users,” says Vitaly Kamluk, senior researcher at Kaspersky Lab. “They are pushing new injection vectors, propagating spam and so on. They don’t need to bother with creating fake AV applications – it’s given for free and all they need to do to get a cut the cake is to advertise/propagate fake AV solution.”

Want to know more? Stay tuned for an upcoming investigative cover story I’m doing for USA TODAY that will connect-the-dots and show you how the expanding scareware industry has become a big driver of cyber intrusions.

If you’re a researcher or an insider willing to share anecdotes about cutting-edge scareware spreading tactics please comment below.

–Byron Acohido