Scareware, Black Hat SEO and You

The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.

The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.

In a fascinating post, Bojan Zdrnja of the SANS Internet Storm Center, has detailed exactly how one specific rogue AV attack works and exposed the methods that the attackers are using to gain victims and plant their malware on legitimate sites. The analysis started with the acquisition of a heavily obfuscated PHP script, which, after analysis, turned out to be the main script used by one particular rogue AV gang.

The attackers are placing that obfuscated script on legitimate sites running on Apache with PHP, and are taking advantage of mis-configurations or vulnerabilities in the Web server to install the script. Meanwhile, the attackers also are using one or perhaps a handful of master servers to search Google and see what keywords are trending as the most popular at the moment. Those are the keywords that the gang wants to target with the spam and rogue AV campaign.

Once the best keywords are identified, the attackers then place links containing those words on the sites that they have previously compromised. Then, as the search engines crawl the owned sites, the master PHP script phones home to the attackers’ C&C server and retrieves a dynamically generated page that contains a slew of phrases containing the specific keyword in use, as well as links to other compromised sites, Zdrnja wrote in his analysis.

“In step 2, besides spammed links, search engine crawlers will also visit
compromised web sites. Now an interesting thing happens that helps
poison the results: when the script detects a visit from a search engine
crawler, but without the required poisoned parameters,
the PHP script by the attackers will return the original requested web
page, but with concatenated links to other compromised web sites that it
has in the local database,” Zdrnja wrote.

The idea is to link all of their compromised sites together as a way to increase their rankings with Google, because that’s the key to the entire game. The higher they can move their owned sites up in the rankings, the more potential victims they’ll get visiting those sites. And more visitors of course means more money extracted through the rogue AV and scareware scams.

The end result of all of these machinations is that the potential victim is presented with a dialog box with one of the all-too-familiar warnings that his PC is infected with malware and he needs to pay a $50 or $75 license fee to clean it. It’s a well-worn tactic, but it’s been working very, very well for the attackers and they’re not much for leaving money on the table.

But these scams obviously don’t succeed without two key elements: vulnerable Web sites and gullible end users. Unfortunately, both are in ready supply.

Suggested articles

Discussion

  • Anonymous on

    What about Grey Hat?  Is that legit?

  • nike trainers on

    support!!

  • survetement on

    support!!

  • Max TN on

    support!!
  • nike tn requin on

    It looks good,I have learn a recruit! Recently,I found an excellent online store, the XX are completely various, good quality and cheap price,it’s worth buying!
  • nike shox deliver on

    Hhe article's content rich variety which make us move for our mood after reading this article. surprise, here you will find what you want! Recently, I found some wedsites which commodity is colorful of fashion. Such as xxxxxxxx that worth you to see. Believe me these websites won’t let you down.

  • nike colorido on

    Well ,your details is really  reasonable and  you guy give us  valuable  informative post.

  • new era cap on

    Well , the view of the passage is totally correct ,your details is really  reasonable and  you guy give us  valuable  informative post, I totally agree the standpoint of upstairs. I often surfing on this forum when I m free and I find there are so much good information we can learn in this forum!

  • Anonymous on

    The Ministry of railways announced the latest Financial Secretary of the Ministry of railways main financial and operating data of the first quarter of 2011 report,BALENCIAGA WOMEN HAND BAG the Ministry of railways owned transport enterprises first quarter loss of $ 3.76 billion in 2011. Yesterday, this newspaper to verify data authenticity is confirmed when the Ministry of railways. Ministry of railways said diesel,discount Burberry Handbag steel materials, accessories, maintenance and other raw materials prices rose is the main reason for the loss,BALENCIAGA WOMEN HAND BAG and investments of 200 billion messages are not accurate. Video: long said the Ministry of railways Railway Enterprise liabilities 1.8 trillion Financial data on a report published in the Shanghai clearing house Web site.BALENCIAGA WOMEN HAND BAG It is understood that the "Shanghai clearing" Clearing Corporation trademark is the interbank market, is approved by the Ministry of finance, cheap Chloe Handbag people's Bank of China to set up specialized clearing houses. By frequently issuing bonds this year,BALENCIAGA WOMEN HAND BAG the Ministry of railways by the required disclosure of relevant financial data.Christian Audigier on sale Handbag According to the Ministry of railways of the report of the main financial and operating data of the first quarter of 2011, railway operating revenues in the transport sector is 155.8 billion yuan,BALENCIAGA WOMEN HAND BAG the total cost (including tax) of 159.56 billion yuan, profit loss of $ 3.76 billion.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.