Another earthquake, another fake antivirus, as criminals jumped quickly on Japan's earthquake news to get malicious links up in search results using black-hat SEO poisoning techniques.
Within hours of the devastating earthquake and tsunami in Japan,
cyber-criminals had poisoned search results based on the disaster with
Users searching on "most recent earthquake in Japan"
may encounter some malicious links to fake anti-virus software, Trend Micro
researchers said March 11. Malware writers used black-hat search engine
manipulation techniques to push these links to the top of the search results,
according to a post on the company's Malware
"We immediately monitored for any active attacks as soon as news broke
out, and true enough we saw Web pages inserted with key words related to the
earthquake," Norman Ingal, a threat response engineer at Trend Micro,
The Japan Meteorological Agency said the 8.9-magnitude earthquake, the
strongest in the country's history, hit the Pacific Ocean
at around 2:46 p.m. local time March 11. The earthquake caused extensive damage
in Sendai, the city on the country's
northeast coast that is nearest the epicenter, and triggered 20-foot-tall
tsunamis and caused widespread fires all along the Japanese east coast. Other
tsunamis triggered by the quake hit Hawaii
and another is heading for the West Coast of the United
People are turning to the Web for the latest information and images from the
earthquake and tsunamis. Cyber-criminals are taking advantage of the intense
interest to further their own agenda.
"One of the active sites that we saw used the keyword 'most recent
earthquake in Japan'
and led to FAKEAV variants we currently detect as Mal_FakeAV-25," Ingal
According to a screenshot on the Malware Blog, the malicious links have the
search term in the title and in the URL, but the description is keyword heavy
with no actual content. A malicious link that was returned on the search had
the following description, "most recent earthquake in japan topic-most
recent earthquake in japan articles," compared with legitimate news outlets
that had more informative text.
One link's description even read "a swarm of earthquakes hit Mt St
Helens volcano on 14th
Trend Micro recommended that readers get the latest news from trusted media
outlets instead of relying on straight searches "to prevent being
victimized by this blackhat SEO." If search results are necessary,
carefully looking at the description may be helpful in weeding out some of the
most egregious links.
A quick search by eWEEK on Google returned two suspicious links on the first
page and several more on subsequent pages. Bing had more links that looked
suspicious appearing on the first page. Trend Micro expects more SEO poisoning
attempts down the line in order to stay on that all-important first page.
Black-hat SEO poisoning attempts to take advantage of current events and
topics of interest are not unusual. Cyber-criminals did the same thing a day
after a 6.0-magnitude earthquake hit Manila,
, last March, pushing up links to fake antivirus software on
search result pages for "earthquake manila philippines."
There were similar attempts shortly after the Haiti
earthquakes, as well.
"One thing for sure though is that cybercriminals will most definitely
ride on every earthquake or natural calamity news that will hit," Carolyn
Guevarra wrote on the Malware Blog.