October 22, 2008

Compromised Halloween websites passing along rogue software

An internet search using the keywords “halloween costumes” may turn up a number of legitimate sites that have been compromised, and users might end up with rogue anti-virus software on their machine.

The Halloween attack uses search engine optimization manipulation to distribute the campaigns, according to a Wednesday TrendLabs blog post.

Attackers prey on the vulnerabilities in legitimate websites to embed malicious code, according to Trend. Once determining a website is vulnerable, a pointer to a specially crafted rogue page -- containing many mentions of the words "halloween costumes" -- is injected into the legitimate website.

That way, when an unsuspecting web user searches those terms, the legitimate but compromised website will return a high ranking and he or she will be more likely to visit there.

The infected site contains malicious JavaScript that will redirect users to another site without their knowing. When, for example, a user clicks an online store to browse Halloween costumes, they will be redirected to a page with a pop-up claiming their computer is running slower than normal. The pop-up says the user's PC might be infected with some type of malware.

“When users click on the resulting pages, there will be software directions and the final payload will be the fake or rogue anti-virus software,” Ivan Macalintal, research manager at Trend Micro, told SCMagazineUS.com Wednesday.

The pop-up asks users if they want to download Antivirus 2009, claiming the software will scan their machine for malware -- but Antivirus 2009 is really a fake program.

Macalintal would not say which websites have been compromised to foist this malware but said most are mom-and-pop, rather than larger retailers.

To avoid coming into contact with this type of rogue page, Macalintal recommended that when performing an internet search users should watch out for pages that lack descriptions or contain descriptions that look like gibberish.

It just happens to be near Halloween, but this type of attack is not uncommon. Attackers prey on whatever the popular search is at the time.

Last year, Trend researchers identified similar problems in websites that resulted from searches for Christmas gift shopping, Macalintal said.

“This fake/rogue anti-virus software is really nasty,” Macalintal said. “It's spreading widely right now.”

Related Articles
Related Topics

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.