Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Compromised Halloween websites passing along rogue software

An internet search using the keywords “halloween costumes” may turn up a number of legitimate sites that have been compromised, and users might end up with rogue anti-virus software on their machine.

The Halloween attack uses search engine optimization manipulation to distribute the campaigns, according to a Wednesday TrendLabs blog post.

Attackers prey on the vulnerabilities in legitimate websites to embed malicious code, according to Trend. Once determining a website is vulnerable, a pointer to a specially crafted rogue page -- containing many mentions of the words "halloween costumes" -- is injected into the legitimate website.

That way, when an unsuspecting web user searches those terms, the legitimate but compromised website will return a high ranking and he or she will be more likely to visit there.

The infected site contains malicious JavaScript that will redirect users to another site without their knowing. When, for example, a user clicks an online store to browse Halloween costumes, they will be redirected to a page with a pop-up claiming their computer is running slower than normal. The pop-up says the user's PC might be infected with some type of malware.

“When users click on the resulting pages, there will be software directions and the final payload will be the fake or rogue anti-virus software,” Ivan Macalintal, research manager at Trend Micro, told Wednesday.

The pop-up asks users if they want to download Antivirus 2009, claiming the software will scan their machine for malware -- but Antivirus 2009 is really a fake program.

Macalintal would not say which websites have been compromised to foist this malware but said most are mom-and-pop, rather than larger retailers.

To avoid coming into contact with this type of rogue page, Macalintal recommended that when performing an internet search users should watch out for pages that lack descriptions or contain descriptions that look like gibberish.

It just happens to be near Halloween, but this type of attack is not uncommon. Attackers prey on whatever the popular search is at the time.

Last year, Trend researchers identified similar problems in websites that resulted from searches for Christmas gift shopping, Macalintal said.

“This fake/rogue anti-virus software is really nasty,” Macalintal said. “It's spreading widely right now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.