Rogue anti-Virus applications are becoming more common online as criminals use affiliate programs to make money off their installations, and one of the top methods to do this is to hijack keywords and poison search results. The best earners can make hundreds of thousands of dollars spreading the software.
The reason they make such good money is the scare tactics they use to trick people into installing the false security software. Once installed, the criminals get paid. The fake security software uses popup warnings, alerting you to an infection and other ?critical? problems that in reality do no exist on your system. These warnings are often tailored to look like normal system menus and screens, adding to the appearance of legitimacy.
Shortly after Butler became the first team since UCLA in 1972 to make a NCAA Final Four appearance in their hometown, The Tech Herald noticed spikes in Google Trends for search terms related to the NCAA and Butler University.
The trends are not surprising, as Butler?s story will be one of the many that fuels NCAA legend for years to come. Sadly, the rapid move by criminals to poison Butler and NCAA related search results isn?t all that surprising either, but stunning considering how quickly the poisoned results appeared so high in the search listings, and something to take note of.
While searching for Final Four, Butler Final Four, and Final Four 2010, we found several sites using our own keywords as well as those related to Butler?s game on Saturday, redirecting visitors to a domain serving Rogue anti-Virus applications. The domains used in the Black Hat SEO operation were sprinkled in within the first two pages of Google?s search results.
Since the posting of the original article, where we discussed criminals targeting Butler University and NCAA fans with poisoned search results, there have been both positive and negative developments, including the silent installation of Rootkits on some pages.
[Note: The previous story, which led to this one, is here.]
When it comes to the positive developments, Firefox is blocking most of the malicious links and reporting them as attack sites. In addition, the malicious sites that once appeared high in the rankings when searching for NCAA Final Four related keywords, are dropping further back down the list, meaning that the odds of someone clicking them just got a little lower.
As mentioned in the previous story, the common thread in the Black Hat SEO attacks spreading the Rogue anti-Virus applications was a PHP script that redirects users searching for NCAA related terms to rowinscanpcNN-xorg-pl, where NN is the placeholder for the random number.
Of the 20 sites we observed redirecting to the rowinscanpc domain to spread the malicious software, all of them have been blocked in Firefox or were offline as of 1:00 a.m. EST. However, users of Google?s Chrome were still able to access some of them, creating an entirely separate issue, which is expected to be resolved soon as Chrome and Firefox both use the same Website blocking engines.
Since the blocks against the rowinscanpc started, new URLs have been tossed into the mix. Using a search for ?Butler Final Four 2010 Tickets?, The Tech Herald was able to track nine domains in the first 20 results on Google that were serving Rogue anti-Virus applications. Three of them are on page one.
One of them does not use the PHP script, which is what we referenced in the original story as a means of detection. This site is using something else to move people to another site, and we were unable to locate a script or code in the page?s source to determine how it happened.