Kanye: Stealing the Microphone and Your PC

The last couple of days have yielded a strong surge in headlines aiding to serve Scareware. We first noticed this resurgence with headlines regarding the anniversary of the 9/11 attacks, next was the Serena Williams meltdown. Today there were a whole new slew of pages serving malware reporting to be legitimate news stories. This morning Patrick Swayze’s death and this afternoon I came across Kanye West VMA 2009 the most recent target of poisoned search engine results serving up Malware/Scareware.

In many of these instances the attackers are simply hacking sites that are already yielding high rankings in Google’s index for a particular search term. Then the attackers insert their malicious scripts that redirect users onto the Scareware payload sites. When the unsuspecting person uses a search engine to find related stories some of the search results contain these "poisoned" links.This technique is used in tandem at times with a more intricate approach. In many instances (instead of hacking a legit domain) the attacker will create their own domain. They will then employ some shady SEO practices to boost their domain high in search rankings thus leading the unsuspecting user to click on the link to the malicious site.

By the time I had returned to the latest page serving the “Kanye West” scareware it had already been labeled by Google to be malicious and was being blocked. Google was identifying the following domains that were being used to distibute the malware on this site as: getfreediscounts.com, usdisturbed.cn, try-your-destiny.com. Google issued a statement on Monday stating: "Using any Google product to serve or host malware is a violation of our product policies. In all cases, we actively work to detect and remove sites that serve malware from our search index and our ad network, and we immediately suspend accounts found to contain ads pointing to sites that install malware. To do this, we have manual and automated processes in place to enforce our policies."

Search result poisoning and SEO manipulation for serving malware is nothing new but it is seldom seen with such frequency. This just goes to show that when browsing the web now days one must exercise more caution than ever. It would also be a good idea to utilize some sort of URL filtering to keep you protected from these zero day attacks.