Two recent cybercriminal attacks drew inspiration from news items of global interest in order to propel malicious links into top search engine results. Cybercriminals’ use of hot news topics such as those related to the Air France Flight 447 disaster and the World Health Organization (WHO)’s formal announcement of H1N1 as a global pandemic is not necessarily new. However, Internet users run great risk of losing credit card information as a result of downloading rogue antivirus software from blackhat SEO links as these types of attacks increase

The Threat Defined
On June 4, while the world scrambled for information about the fate of the missing Air France Flight 447, researchers discovered a cybercriminal plot to take advantage of the news. Through a technique called search engine optimization (SEO) poisoning (also called “blackhat SEO”), cybercriminals are able to obtain high rankings in search engine results for their specially crafted Web pages whenever users enter terms like air france crash or french airbus crash. The Web pages do not carry news about the airplane incident. Instead, they automatically launch redirections that eventually bring users to a rogue antivirus component (named Install_2022.exe and detected by Trend Micro as TROJ_FAKEAV.BIM). TROJ_FAKEAV.BIM, when executed, downloads and executes the rest of the rogue antivirus package (TROJ_YEKTEL.AA).

Rogue antivirus variants sport more or less the same visual devices to trick users about an infection in their PCs. In this case, TROJ_YEKTEL.AA first displays an installation prompt for Personal Antivirus, a package pretending to be security software. It invites the user to accept the software’s Terms and Conditions to proceed with the installation. It then runs a full system scan that reveals several “malware detections” on the PC.

These fake infections do not really exist on the system and are designed only to scare users into actually purchasing the full version of the product. Cybercriminals even mimic legitimate software license offerings by pricing a one-year license at US$59.95 or a lifetime license at US$79.95. Both licenses come with all-day premium support for an additional US$19.95. Users who pay with their credit cards do not get the benefit of full protection but instead unknowingly surrender their credentials to the cybercrime underground.

Blackhat SEO Using H1N1 News
Roughly a week after the Air France attack, cybercriminals pounced on news of the WHO proclamation that H1N1 was a global pandemic. Cybercriminals quickly rode on the event’s popularity, coming up with pages rigged with malware to victimize as many curious newsreaders as possible.

Users who click on any of the malicious links end up downloading a Trojan downloader (TROJ_DLOADR.API). This Trojan automatically downloads a dropper (TROJ_DROPPER.NXA), which drops TROJ_AGENT.GUZZ onto the affected PC. This Trojan drops other malware and accesses URLs to download other files. As of this writing, the URLs accessed by TROJ_AGENT.GUZZ are inaccessible. However, when they were still operational, the URLs led users straight to downloading a rogue antivirus solution detected as TROJ_DROPER.AS, which drops BKDR_PLTRGEIST.A. This backdoor, though incapable of propagating, allows a malicious user remote control access over the affected system.

Trend Micro analysts believe these attacks are somehow related in that they use the same method of operation and both are connected to rogue antivirus software. Moreover, both the Air France Flight 447 and H1N1 SEO attacks are hosted on the is-the-boss.com domain, which is a known malware host. The span of time between these two attacks and the time it took cybercriminals to mount each attack in reaction to the worldwide news suggest that cybercriminals have found an easier and faster way to poison search engine results for their own ends.

Cybercriminals launch blackhat SEO campaigns by spamming links to the malicious page wherever possible. In some cases, they post links to the malicious page in the comments sections of blogs or Web sites where the target keyword (e.g., swine flu or flight 447) is hyperlinked to the malicious page. Cybercriminals can also set up links farms-several blogs that contain nothing but links to the malicious page. The more spamming occurs, the more links to a malicious page appear, which push the page to the top result when certain keywords are entered into search engines. Search engines use complex algorithms to determine ranking and one way they determine the authority or credibility of a page is by the number of other sites that link to it.

This is not the first time tragedies and other much-talked-about topics have been used for blackhat SEO campaigns. Other noteworthy SEO attacks that may not have focused on “news” in the strictest of terms but did ride on the back of the next “in” things targeted Facebook and Twitter users.

User Risks and ExposureSince both featured attacks took advantage of real-world events and used “global” platforms-search engines-users in search of more information on the Air France Flight 447 disaster and H1N1 are most likely to be affected. It should be noted though that some search engines have already flagged the is-the-boss.com domain as malicious.

Since the redirections happen quickly, users hardly see what is actually happening. If users accept dialog boxes without a second thought, there is a good chance that this attack succeeds in infecting computers down to the rogue antivirus payload. That this attack starts off via a search using any of the major search engines is an added complication since many users automatically assume that search engine results are safe to click.

Users who encounter this attack risk losing money to cybercriminals along with their credit card information. Cybercriminals may then sell these information in underground black markets where carders may obtain them to perform unauthorized online transactions.

Trend Micro Solutions and Recommendations
Trend Micro Smart Protection Network delivers security that is smarter than conventional approaches. It blocks the latest threats before they reach you. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud technologies and a lightweight client architecture to immediately and automatically protect your information wherever you are. It is also the only antivirus technology that is able to correlate threats and identify their individual roles in an entire threat. In these blackhat SEO attacks, Smart Protection Network protects users in the following manner:

Requests to access Web sites that turn up in poisoned searches and made by injected scripts are of an already infected computer are blocked by Web Reputation Technology Malware hosted on new and still unknown sites and downloaded malware files are blocked or detected and removed by File Reputation Technology.

The Internet is being introduced to, and embraced by, an audience that is getting younger by the minute. Considering the savagery of the threat landscape, without the proper guidance and protection, young minds do not stand a chance against cybercriminals’ nasty schemes.

Internet: Who Does What?
A study conducted by Pew Internet and American Life Project in 2006 and 2008 determined generational differences in online activities. The results implied that younger age groups, those aged 17 and below, tend to employ the Internet as a tool for creative, and social activities. It also showed that the younger age groups spend more time online than the older groups. Furthermore, a similar study by Pew Internet states that, “Internet users in their twenties are more likely than those in their fifties and sixties to have travelled far and wide online, trying new things and possibly learning hard lessons about the dangers that lurk on the network.”

Danger in Safe Waters
Most net-savvy users are now aware of the risks involved in browsing online. But the tendencies to delve into risky online activities are greater than most for young users, especially with their insatiable thirst for knowledge and untested sense of courage.

Searches
InterntetStatsToday states that 55% of young Internet users are more likely to do searches on a daily basis compared to adults. As reliable and convenient the use of search engines is, it is far from safe. Cybercriminals abuse search engines through SEO manipulation and SQL injections, such that kids searching for the wrong topic, clicking on the wrong search result, leads kids not to relevant information for their next papers, but to a compromised PC instead.

E-mail
ComScore Media reports that 89% of young users who use the Internet still use e-mail, making it a popular activity for young users. Just as much, email is a popular channel for malware distribution, creeping into users’ inboxes in the form of blended threats. Links to sites that lead to malware downloads, phishing sites, and others are usually distributed through spam.

Online Shopping
Online shopping has shaved off some time young users spend at the mall. With just a few clicks the transaction is finished. It isn’t hard to see why about 22.9% of young users make purchases through the Internet. This is despite raised concerns on the security in online shopping. Shoppers are common prey to scammers and phishers online. And even as shoppers try to take precaution, phishers always take schemes to a higher level to fool users. Even experienced buyers are not exempt, much more the young users who may be too excited and willing to exercise their rights as consumers.

Social Networking
An estimate of 61% of kids aged 13 to 17 have profiles in online social networks. The social network audience is teeming with young users, as popular social network MySpace deletes about 25,000 profiles a week, to discourage those who register to the network but fails to meet the 14-year-old minimum age limit. The engagement of young users in social networks has raised concern mainly because of the amount of information kids share in these networks. But this is not the only risks these kids face when engaging in social networks. Social networks are yet another malware vector. Popular social networking sites like Facebook and Twitter have been known to be abused by cybercriminals to spread malware.

Instant Messaging
Studies have shown that young users prefer instant messaging over e-mail. For them, the speed, lack of formality, and convenience of instant messaging offers so much more than the now conventional email. These same strong points however are the same things cybercriminals bank on, in distributing malware through instant messaging. With 15 million of youth actively using instant messaging, they serve as the perfect prey to IM-related malware schemes. Links sent through IM by strangers may strike the young user’s curiosity, and their decision to click on the link may lead them to trouble.

Now What?
Like Pandora’s Box, the Internet can bring both the good and bad stuff. The Internet is a place where young people can DISCOVER, CONNECT and CREATE (i.e. blog, post messages, chat, play games, create online profiles). While exciting, it also presents certain dangers.

For young users, proper guidance and reliable security solutions are their best defense, to protect themselves from malicious intent online. The Trend Micro Internet Safety for Kids and Families programme aims to enable and empower parents, teachers, and young people to make the Internet a safe and secure place for today’s youth. For more information and best practices tips, please visit http://us.trendmicro.com/us/about/gc/safefamilies/.