Attackers Go Old School with Phony Search

By Matthew Hines  |  Posted 2009-05-08 Print this article Print

What's it going to be next, malware hidden in downloadable browser tool bar applications? As they are wont to do, cyber-attackers have retraced their own steps back to a once dominant form of malware delivery, the fake search engine, according to researchers at PandaLabs.

Several years back, fake browsers designed specifically to steer unsuspecting users to malware downloads were all the rage, but industry focus on the issue pushed it from the main stage -- though tool bar attacks have always stuck around. Now, the browser-based campaigns are coming back into vogue, and a fair number of users appear to be falling for them, the company said. At least one of the sites has already been used by close to 200,000 users, all of whom might have been infected, Panda contended.

Experts with the company said unlike the first waves of search engine-driven threats, the newest crop illustrates the increasingly refined professionalism of malware application developers. Specifically, more of the newer threats utilize more purpose-built engines than their forbearers, many of which were driven by shady SEO tactics, Panda reported.

"Previously, cyber-crooks would use malicious SEO (Search Engine Optimization) or 'black hat SEO' techniques to improve the ranking of their pages among popular search engines. Now, they are beginning to use their own search engines, which lead users directly to pages designed to infect or defraud them," the company said in a report summary.

While researchers have seen similar attacks for years, the sophistication of the new campaigns makes them even more likely to draw people in, the experts said.

The search engines return infection-laden results, many of which are disguised as multimedia software applications or fake anti-virus programs. Many of the attacks are also being tied to popular social engineering techniques and having their themes tied to emerging news stories such as last week's swine flu outbreaks.

But no matter what you might be looking for, the nefarious browsers will point you toward malware sites.

"We started searching for words and issues frequently exploited by cyber-crime, in this case swine flu, or celebrity names such as Britney Spears or Paris Hilton, and this took us to pages created to distribute malware. But, we then found that even searching for our own names would reveal results that were in fact malicious pages," explained Luis Corrons, technical director of PandaLabs. "Strangely, though, there is the occasional normal result among all the malicious ones. Perhaps this is to bolster the illusion that this is a genuine search engine."

To avoid falling victim to these attacks, PandaLabs advises users to use only trusted search engines, and to be wary of Websites offering sensational videos or unusual stories.

"If on this kind of Website you are asked to download a codec or any other kind of program to watch videos, there is a strong chance that it is really malicious code," warned Corrons.

By tying the methods of fake search and social engineering, attackers may be able to draw in users hungry enough for news not to care enough if they don't recognize the sites that they are using.

Stay tuned, coming up next ... malware hidden in e-mail attachments.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel