The attack takes advantage of Google's page-ranking feature, according to researchers at eSoft's Threat Prevention Team. The scam works like this: An attacker hacks a site, but instead of embedding exploits on the hacked site, they put links to other websites to boost rankings for malicious sites, and Google users in particular seem to be the targets.
“The sites whose search engine ranking is being boosted are now serving up malware through a complex series of redirects,” Lee Graves, senior technical services engineer with eSoft, wrote on the company's Threat Prevention Team blog. “However, the redirects and the malware are only served up if the user gets to the site after clicking the link on Google. Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.”
But clicking on the results in Google may bring the user to a website using a common rogue anti-virus template that alerts the user that their PC is infected and prompts unsuspecting users to download what is really a trojan.
“They're actually using a PageRank bomb, or blackhat SEO attack,” Graves told SCMagazineUS.com Tuesday.
There seems to be a few specific search terms being used, and others terms are regularly being added, he said.
“There are bunch of dangerous search terms,” Graves said. “As news changes, the terms they use change.
The scam is similar to other scareware attacks, he said.
“If you click on a dangerous result, you'll get redirected around to a couple of places, then come to a rogue AV site that says you're infected with all kinds of malware,” he said.
So far, Google is the only search site involved in the attack. A spokesman for the search giant could not be reached for comment Tuesday.