Your SlideShare is downloading. ×
Johnny Depp  Bill Cosby and Super Bowl 44 Searches Result in Fakeav  (2/15/2010)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Johnny Depp Bill Cosby and Super Bowl 44 Searches Result in Fakeav (2/15/2010)

557
views

Published on

Recently FAKEAV peddlers have fully leveraged blackhat search engine optimization (SEO) tactics to profit from their malicious wares. Targeting millions of fans as potential victims—FAKEAV and …

Recently FAKEAV peddlers have fully leveraged blackhat search engine optimization (SEO) tactics to profit from their malicious wares. Targeting millions of fans as potential victims—FAKEAV and blackhat SEO—work hand-in-hand to create a dangerous and all-too-common threat for Web surfers.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
557
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 57 FEBRUARY 15, 2010 Johnny Depp, Bill Cosby, and "Super Bowl 44" Searches Bag FAKEAV In the past few months, FAKEAV peddlers fully leveraged blackhat search engine optimization (SEO) tactics to profit from their malicious wares. Targeting millions of fans as potential victims—FAKEAV and blackhat SEO—worked hand-in-hand to create a dangerous but, unfortunately, all- too-common threat for Web surfers. The Threat Defined Blackhat SEO and FAKEAV: New Partners in Cybercrime 2009 saw several FAKEAV variants proliferate online. While we have seen this kind of threat as early as 2004, last year witnessed its rapid rise to the list of the most common Web threats. Blackhat SEO has increasingly become cybercriminals' favorite method of spreading FAKEAV. Poisoning search results has proven to be a very effective technique in luring more visitors to click links to malicious sites that end with the download of FAKEAV, especially since peddling them is indeed very profitable. Though other methods of spreading FAKEAV remain in use, blackhat SEO techniques are particularly dangerous because most if not all people can potentially become victims just by using search engines. It has, in fact, become common for cybercriminals to create malicious sites related to the hottest topics or happenings just to spread various FAKEAV variants. This threat was recently highlighted by at least three separate events: Figure 1. Typical blackhat SEO-triggered FAKEAV infection diagram  Johnny Depp's supposed death due to a car crash  The latest season of one of the United State's most popular television show—"Super Bowl 44"  Bill Cosby's supposed death, which he himself proved to be untrue These three separate attacks had two major things in common—blackhat SEO and FAKEAV. They all used enticing search phrases related to the aforementioned events. They leveraged on people's innate curiosity and the popularity of the two celebrities and the "Super Bowl." Their search results all led to malicious sites where the following FAKEAV variants were hosted:  TROJ_DLOADER.GRM (aka Drive Cleaner 2006)  TROJ_FAKEAL.SMDP (aka Security Antivirus) Apart from the similarities already stated above, the cybercriminals behind the attacks also had only one thing in mind—to gain profit. There was, however, a slight difference between the two variants, too. The first posed as a codec that users needed to download in order to watch a video of Depp's car crash. The second, on the other hand, used the ever-reliable but very effective scareware tactic. How Blackhat SEO Helps Sell FAKEAV Since blackhat SEO and FAKEAV are likely to stay on for a long time, TrendLabs security specialists analyzed what made the “blackhat SEO and FAKEAV partnership” work and came up with these results:  More cybercriminals will utilize "keyword stuffing" or abuse the use of keywords to make their malicious sites rise to the top of search results for hot topics. 1 of 2 – WEB THREAT SPOTLIGHT
  • 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.  They will also leverage "page stuffing" or hack legitimate sites that appear on top of search results and stuff them with malicious pages.  They will also use "farming links" or linked Web pages to increase one another's popularity and link their malicious sites with these.  Finally, cybercriminals will continue to develop more effective "cloaking" techniques, leading users to bogus sites or even fake search engines. Cloaking is a blackhat SEO technique in which the content presented to the search engine spider is different to that presented to the user's browser. User Risks and Exposure The popularity of the Internet in recent years means users are not just more actively searching for information online. They are also doing so more quickly than ever before. This means that the potential "market" for cybercriminals peddling their malicious wares to unwary users is also increasing, as more users click links to search results that lead to the download of rogue antivirus. The effects of FAKEAV malware have been well documented over the last few months. At the very least, users lose time by responding to false alerts and closing windows. More directly, however, they can also incur financial losses if they reveal financial information (e.g., credit card numbers) in malicious sites, believing they are purchasing legitimate products. While FAKEAV are a lot cheaper compared with commercial antivirus products, ranging from US$50–70 each—the risk they pose in terms of data theft is greater. As such, companies must impose stricter security measures to keep themselves safe from these and other kinds of Web attacks. In today's complex threat landscape, however, installing antivirus applications may no longer be enough, they need to use more aggressive security solutions and to make their clients/employees more aware of cybercriminals' ingenious schemes. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. Smart Protection Network™ protects users from this kind of attack by blocking user access to malicious sites where FAKEAV may be downloaded with Web reputation service and by detecting and blocking the execution of TROJ_DLOADER.GRM and TROJ_FAKEAL.SMDP on user systems via file reputation service. Users can also prevent themselves from becoming victims of similar attacks by avoiding relatively unknown sites that are likely hosts of FAKEAV variants. While they may rank highly in search results, their URLs, which can be seen in search results as well, may not be that "familiar." Avoiding such sites and visiting well-known sites with recognizable domain names instead thus helps them avoid potentially significant losses. The following posts at the TrendLabs Malware Blog discuss this threat: http://blog.trendmicro.com/hackers-exploit-actor-johnny-depp%E2%80%99s-death-hoax/ http://blog.trendmicro.com/search-for-news-on-the-super-bowl-and-bill-cosby%E2%80%99s-supposed-death-lead-to-fakeav/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADER.GRM http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAL.SMDP Other related posts are found here: http://blog.trendmicro.com/fakeav-gets-first-dibs-in-profits-from-apple-ipad/ http://blog.trendmicro.com/a-million-search-strings-to-get-infected/ http://blog.trendmicro.com/blackhat-seo-and-fakeav-a-dangerous-tandem/ http://blog.trendmicro.com/rogue-av-scams-result-in-us150m-in-losses/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/50_predictably_unpredictable_fakeavs__january_11__2010_. pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf http://blog.trendmicro.com/searches-for-free-printable-items-lead-to-mal-domains/ http://en.wikipedia.org/wiki/Cloaking http://en.wikipedia.org/wiki/Vundo 2 of 2 – WEB THREAT SPOTLIGHT