Users interested in seeing the latest images on popular topics of the day are being hit by black hat SEO poisoning techniques to launch Neosploit or fake AV Trojans.
Attackers manipulating Google search to return malicious
pages higher on the results page is nothing new. However, researchers have
recently noticed similar tactics on Google's image search results.
Researchers reported encountering malicious search results
on Google image search as early as April 19. As of April 29, the search results
are still poisoned. Attackers are jumping on topics that are currently popular,
including the royal wedding between Britain's Prince William and Catherine
Middleton and the White House releasing President Barack Obama's birth
Adversaries "are quick to pounce on user curiosity for their
own gain," wrote Steve Ward on the Invincea
Attackers are using poisoned
SEO links techniques
to feed malicious links to users, and instead of just
relying on text searches as has been done in the past, there's been a marked
increase in links pointing to rogue sites from image search. Users looking for
the latest images from the royal wedding, such as the bride's dress or wedding
cake, for example, are at risk because they generally are not looking at the
linked URL before clicking.
"Nothing is sacred
out there, folks," Ward wrote.
Websense Security Labs Threatseeker network detected that
Google Image search returned poisoned pictures which would redirect users to
pages running the Neosploit malware kit, Websense's
posted on the Security Labs blog. The attack sites have been
modified, sometimes redirecting to Neosploit, and other times to a fake
antivirus site, according to Yang.
In the case of the Neosploit kit, the attack site downloads
a payload customized for the user's operating system, browser and installed
software, wrote Yang. In one example, the attack site downloaded a PDF file
targeting three Adobe Reader vulnerabilities and was not detectable by several
major antivirus scanners. Neosploit is readily available on the black market
and several variants exist exploiting various vulnerabilities, including MDAC,
Active X and the aforementioned Adobe Reader.
Black hat SEO campaigns often trick users into downloading fake
. While Firefox and Mozilla detect several of the
malicious links, there are several that don't get trapped, easily tricking users.
This happened to several colleagues at eWEEK recently, who had downloaded
innocuous images, such as a clip art of a question mark, and were shown a
prompt indicating the antivirus was not running. Clicking on the button to
"turn on" the antivirus launched a fake antivirus called, "Windows 7 Security
Some of the images returned when searching on President
Obama's birth certificate, using terms like "Obama birth certificate," directed
users to malicious sites that used a Java exploit to install a rogue Security
Shield antivirus or XP Anti-Spyware 2011, according to Christopher Boyd, a
senior threat researcher at GFI
Some fake antivirus software aren't content with just
popping up a screen and demanding a credit card numbers. There are some fake AV
scams that go ahead and sets up connection with a command-and-control server,
Users should be aware that there are malicious links and be
alert. When looking at any kind of search results, instead of clicking
automatically on the first result, they should look at what the URL looks like
to try to determine its authenticity. Downloads should always be from
well-known sites, wrote Manuel Humberto
, a community SANS instructor at SANS Institute on the
Internet Storm Center.
Users should consider defending the perimeter, such as
running and regularly updating a desktop firewall and an antivirus scanner.
Firefox users should consider installing the no-script add-on as it can block
Neosploit, according to Pelaez.
Enterprises should consider protecting the user from the
network by looking at sandboxing technologies that prevent exploits from
leaking into the rest of the network, according to Anup Ghosh, chief scientist
of Invincea. "As was the case with another famous fairytale wedding, this one
involves getting your users to take a bite from the poisoned apple," Ghosh said.