Cybercriminals have begun using Google Video
to deliver victims to their doorstep.
About 400,000 search queries on the popular video search site recently redirected to a malicious website that leads to malware download and execution, Jamz Yaneza, threat resesearch manager at Trend Micro, told SCMagazineUS.com on Monday.
The threat first was detected last week, according to Google, and appears to have been halted, researchers said.
During the attack, cybercriminals utilized search engine optimization
(SEO) tactics to make their poisoned search results
appear at the top of the list for certain queries, Yaneza said. Users were tricked into visiting the malicious websites, believing that the top search results were reliable.
When users followed one of the fake video searches, they were redirected to a spoofed video streaming website and were prompted to download and install an Adobe Flash Player
update to view the videos, Yaneza said. That download was really a new worm
-- detected as WORM_AQPLAY.A -- which spreads through shared network drives and removable media devices when autorun is enabled.
Users were only prompted to download the worm if they were referred to the site from Google Video. So, if a user went straight to the bad site by typing the URL in his or her browser, they were not delivered the exploit because they were not referred there from Google.
This makes the exploit more difficult to detect because the malware writers are weeding out those who are not genuine victims, such as researchers, Roger Thompson, chief research officer at AVG, told SCMagazineUS.com Monday.
He said the crooks appear to be operating out of Russia or Ukraine and are well versed in similar internet attacks.
“We have not seen this particular trick before but we have seen this gang plenty of times,” Thompson said.
A Google spokesman told SCMagazineUS.com on Monday that it has taken steps to prevent future attacks of this nature.
"Google works hard to protect our users from malware, and using Google Video, or any Google product, to serve or host malware is a violation of our product policies," he said.