After Trend Micro researchers claimed that Easter related sites were used to redirect visitors to rogue antivirus websites, PandaLabs recently uncovered similar Black hat SEO attacks against Ford and Ned.org.
By mis-using keywords typically related to global businesses and institutions, the criminals attract unsuspecting visitors to compromized web sites. These sites deceive visitors into downloading and installing a fake antivirus product that is very hard to deactivate or remove.The rogue antivirus gives false alerts to the user making them think that theircomputer is infected. Scared users are then susceptible to buying the "antivirus protection" via a page that looks like a secure SSL web site. In fact, their money are confidential credit card information are stolen by the criminals the moment that they enter their personal information into the payment page.
Many global companies, including Ford have been exploited in this way. Over a million compromized web sites used Ford-based keywords to attract visitors to fake antivirussites via search engines such as Google (Black hat SEO may force Google to change algorithm).Other examples of this attack include the mis-use of Easter related keywords to attract unsuspecting visitors during the Easter season (Trend Micro Malware Blog - Rotten Eggs: An Easter Malware Campaign).
There are other variants of this type of attack originating from the same Ukraine / Russianbased criminal fraternity. For example, the criminals use technical exploits to compromizeweb sites, blog, forums and the like. Wordpress blog management software has been a victim of such an exploit allowing the criminals to inject malicious code directly into all pages.A visitor to one of these infected sites will beredirected to another site where rogue antivirus software is again downloaded (PandaLabs: New Blackhat SEO attack exploits vulnerabilities in Wordpressto distributerogue antivirus software).
The criminals put a lot of effort into assuring the longevity of their scam. Frequent IP changes and moving from location to location help ensure that they can continue their activities.
You can get more information about all these attacks from the following resources. The PandaLabs video gives a particularly clear and concise overview.
The following links provide more information about this attack:
The websites in question are: trustsecurityshield.com and topsecurity4you.com which both have served for only two or three days (hosted on 22.214.171.124).
Technicals details can be found below
Vulnerabilities in Wordpress exploited to distribute rogue antivirus software
Watch the full video:
I will take your attention on the video above.
This is a screenshot at 03:11
If you zoom into it you will see the domain "load-archive-av-pro.com". The domain is still active and shared with many other fake scanner websites like "antivir-scan-pro-best.com" for the location of the payload. Wepawet Analysis
I will take some words found on Ned.org for example.