September 11th, 2009
9/11 related keywords hijacked to serve scareware
Anticipating the logical peak of 9/11 related keywords on the 8th anniversary of the attacks, cybercriminals have hijacked the trending topic by occupying thousands of related keywords for the purpose of serving fake security software.
None of the sites are currently marked as harmful by the SafeBrowsing initiative, due to the evasive tactics applied in the campaign, with the majority of them already appearing within the first twenty results.
Is this a deliberate 9/11 themed blackhat SEO campaign, or is it “blackhat SEO for scareware serving purposes as usual” type of campaign?
The very same Ukrainian cybercrime group — detailed assessments of their ongoing campaigns confirm their use of Google Trends — that was recently hijacking Obama Speech related keywords next to U.S Federal Forms keywords, is also the same group behind the current 9/11 themed campaign.
Whereas it would first appear that they are very good at picking up trending, and very recent topics manually, the reality is that the process is completely automated, and has been for the past couple of years. This dynamic traffic hijacking in a near real-time Web is already undermining the usefulness of static lists of “dangerous keywords” or “dangerous celebrities” to search for.
- Go through related posts: Cybercriminals hijack Twitter trending topics to serve malware; Cybercriminals syndicating Google Trends keywords to serve malware; Google Video search results poisoned to serve malware; Massive comment spam attack on Digg.com leads to malware
Compared to previous blackhat SEO campaigns, the campaigns launched by this group over the past couple of months indicate a lot of planning activities taking place before launching it. For instance, the malware, the redirection domains and the scareware domains are rotated once or twice every 24 hours in an attempt to increase the campaign’s lifecycle.
The latest campaign is pushing Scanner-137082_2007.exe, and while its generic detection rate will inevitably improve, not falling victim to a scam that’s selling non-existent security software, remains the best move.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
