Security researchers warn that attackers are creating malicious sites with high SEO to target users searching online for Black Friday and other holiday shopping deals.
Attackers have set their sights on holiday shoppers searching for leaked
Black Friday ads, creating malicious sites that appear on search engine result
pages, according to a Nov. 18 alert by SonicWall. The security warning comes as
shoppers prepare for the 2010 holiday shopping season.
Security experts at SonicWall UTM Research discovered "polluted"
results appearing in search engine results for holiday shopping-related terms
in advance of Black Friday sales next week, the company said. These links take
users to a malicious site that tricks users into downloading malware.
The terms include "Walmart Black Friday Sales 2010," "Black
Friday" and "Cyber Monday," according to researchers.
Cyber-criminals view popular search terms as a lucrative target as the terms
reflect what people are interested in. In the advent of the holiday shopping
season, consumers are searching online for the best deals and discounts, so it
goes without question that hackers are "going to try" to take
advantage of that traffic, according to Fred Touchette, a senior security
analyst at AppRiver.
Criminals create pages that are highly search engine optimized with keywords
reflecting currently popular search terms. They also seed keywords and links as
comments to boost the malicious pages' search engine rankings, "even if it's
for an hour or two, as they will be driving traffic to those pages," said
Called SEO poisoning
, hackers create these pages that Google and other
search engines pick up thinking they are legitimate, and return them when users
type in the search terms.
SonicWall identified a two-pronged
, varying by the user's browser type. Clicking on one of the
code that checks the user's Web browser. The next step varies by browser, SonicWall
said. Users with Internet Explorer are redirected to a fake antivirus landing
page claiming the computer is infected by several Trojans. Firefox users are
redirected to a fake update page suggesting the user's Flash player is out of
date: "Firefox is outdated, also your current version of Flash Player can
cause security and stability issues. Please install the free update as soon as
The fake Flash update file downloads the fake antivirus onto the computer
and modifies the user registry so that the Trojan runs during system startup,
said Deepen Desai, senior researcher for the threats team at SonicWall. It also
posts "confidential data back to remote servers" and redirects the
browser to open more pop-up windows, said SonicWall.
The infected machines are sending encrypted data back to a specific site, said
Desai, adding that team is still decrypting the data, but it "looks
similar" to the InfoStealer Trojan activity.
Mac OS X users using Firefox and Internet Explorer will encounter the same
malware, and it can be downloaded on to the Mac if they click on those links,
according to Touchette. However, they are not likely to execute on the Mac,
According to both Desai and Touchette, varying the malware attack based on
the browser the user is using is a common tactic. The attacker is
"maximizing the number of potential victims" by
"customizing" the behavior to browser-specific vulnerabilities, said
The returned search results have titles like "Walmart Black Friday
2010" and the same phrase embedded in the URL string, according to the
screenshot of malicious search results posted on the SonicWall site. Since many
of the sites are already known to be malicious, Firefox and Google are able to
flag the links accordingly.
Hackers are also using Best Buy-related search terms, such as "Best Buy
Black Friday 2010 deals," to push a fake antivirus software called
"Internet Security Suite," according to security company
Researchers at Sunbelt
also noticed that search terms for free holiday e-cards ("free
cards to print") directed users to a fake antivirus called FakeVimes.
"As the days draw closer to Black Friday, we will certainly see an
increase in activity involving these tactics," said Steven Sundermeier,
owner of Thirtyseven4.
Spammers and hackers often take advantage of current events, popular trends
and holidays such as Halloween
to target users. For example, there was a surge in malware activity right after
the earthquake in Haiti,
Security experts recommend making sure that the operating system, browsers
and security software are up-to-date and enable secure browsing on the Web
browser before going to unknown sites. Their recommendation for looking at and
verifying links get a little dicey with the proliferation of URL shorteners
like bit.ly that create nonsensical strings with numbers and letters. When
possible, users should manually type the link into the browser, and search for
deals within the retailer's own site. CyberDefender suggests using encrypted
search, such as Google SSL (https://www.google.com
), instead of classic