An internet search using the keywords “halloween costumes” may turn up a number of legitimate sites that have been compromised, and users might end up with rogue anti-virus software on their machine.
The Halloween attack uses search engine optimization manipulation to distribute the campaigns, according to a Wednesday TrendLabs blog post.
Attackers prey on the vulnerabilities in legitimate websites to embed malicious code, according to Trend. Once determining a website is vulnerable, a pointer to a specially crafted rogue page — containing many mentions of the words “halloween costumes” — is injected into the legitimate website.
That way, when an unsuspecting web user searches those terms, the legitimate but compromised website will return a high ranking and he or she will be more likely to visit there.
“When users click on the resulting pages, there will be software directions and the final payload will be the fake or rogue anti-virus software,” Ivan Macalintal, research manager at Trend Micro, told SCMagazineUS.com Wednesday.
The pop-up asks users if they want to download Antivirus 2009, claiming the software will scan their machine for malware — but Antivirus 2009 is really a fake program.
Macalintal would not say which websites have been compromised to foist this malware but said most are mom-and-pop, rather than larger retailers.
To avoid coming into contact with this type of rogue page, Macalintal recommended that when performing an internet search users should watch out for pages that lack descriptions or contain descriptions that look like gibberish.
It just happens to be near Halloween, but this type of attack is not uncommon. Attackers prey on whatever the popular search is at the time.
Last year, Trend researchers identified similar problems in websites that resulted from searches for Christmas gift shopping, Macalintal said.
“This fake/rogue anti-virus software is really nasty,” Macalintal said. “It’s spreading widely right now.”