August 6th, 2009

Federal forms themed blackhat SEO campaign serving scareware

Posted by Dancho Danchev @ 12:06 pm

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware

Tags: Search Engine Optimization, Malware, Cybercriminal, Keyword, Search, Marketing Research, Spyware, Adware & Malware, Security, Dancho Danchev

An ongoing blackhat SEO (search engine optimization) campaign is actively hijacking a variety of U.S Federal Forms keywords in an attempt to serve the Personal Antivirus (Trojan.Win32.FakeXPA) scareware.

Due to the automated and sophisticated PageRank boosting tools cybercriminals use in these campaigns, the hijacked keywords are always popping-up within the first ten to twenty search results for a given keyword.

Let’s analyze the campaign, and discuss how are they capable of bypassing Google’s SafeBrowsing blacklist.

Compared to previous real-time (news headlines and swine flu themes) blackhat SEO campaigns launched during the last couple of months, this one is relying on a pre-defined set of legitimate applications and U.S Federal forms. The following list is a sample of some of the keywords used:

Irs 8905, Printable Ohio Individual Tax Form, Wisconsin State Ammended Tax Form, It 1040 Ohio Form, Federal 1040ez Form, 1040 Ez Online Form, Wi 1040 Ez, 1040 Tax Form Download, Virginia Health Life Insurance License Form, Commercial Lease Offers Application Form, Free Medical Durable Power Of Attorney Form, Georgia Driving History Request Form, Parcar Warranty Claim Form, Uc 101 Form, Estate Waiver Form, Postnuptial Agreement Form, 403 B Salary Reduction Form, Copy Of Living Will Form Fl, Petition Divorce Form Oklahoma Free, Rental Agreement Form Oregon, Alaska Form Expected Death At Home, Application Form For Callas Reward Card, Celebrities Form Bretagne France, Annual Emeritus Parking Authorization Form, 540ez Ca, Illinois State Form 1040, Ira Form 8863, Income Tax Return 1040ez Form, 1096 Form Tax, Kerala Medical Examination Form, Cayman Islands Visa Form, Ohio Tax Exemption Form, Free Printable Tax Forms 1099, 1040 Tax Form Printable, Gsa Form 3503 Form Fillable, Change Of Schedul Form 3189 Uspostal, Medical Treatment Form Ohio, Default Form Louisiana Parish Preliminary Vernon, Client Interview Form Unlawful Detainer California, Nonresident Form Hawaii Vehicle

Based on the variety of keywords used, it’s pretty obvious the cybercriminals behind it are attempting to exclusively hijack U.S traffic.

• Go through related posts showcasing the use of blackhat SEO for malicious purposes: Cybercriminals hijack Twitter trending topics to serve malware; Cybercriminals promoting malware-friendly search engines; The Web’s most dangerous keywords to search for; Cybercriminals syndicating Google Trends keywords to serve malware; Google Video search results poisoned to serve malware

It’s worth pointing out that they’ve apparently managed to trick Google’s Safebrowsing blacklist on the true nature of the sites’ content. How did they do that?

By using some well known evasion practices in their arsenal, in this case it’s a combination of web content cloaking and http referrer checking. Basically, they detect a Google crawler and serve legitimate blackhat SEO optimized content to it, however, since the crawler isn’t using a http referrer, the cybercriminals only serve the scareware to someone who’s directly coming from Google’s search engine, and a 404 error to those who are basically clicking on the links without a valid http referrer.

Disruption of the campaign is in progress.