Attackers are targeting people searching for last-minute ideas on Halloween costumes, said CyberDefender on Oct. 29.
The Internet security vendor joined several other security firms, including Blue Coat and BitDefender, to warn users searching online for Halloween-related topics.
"Popular search terms have always been a target for cyber-criminals," said Achal Khetarpal, director of CyberDefender Research Labs.
CyberDefender identified a fake anti-virus Trojan downloader infecting pages that come up when searching for Halloween costumes. When users land on these infected pages, the fake anti-virus installer hijacks the user's Web browser and initiates a malicious process, CyberDefender said. The infected PC becomes sluggish and slow-performing while exposing personal data, according to the company.
One form, identified by Panda Labs, displays a fake video player page and asks the user to download a codec in order to play the video.
Popular search terms reflect what users are interested in at that time, making it a lucrative target. Criminals often create pages that are highly search engine optimized, with keywords reflecting currently popular search terms, said Khetarpal.
Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms, said CyberDefender.
According to Panda Labs, searching for Halloween costumes, Halloween decorations, Halloween ideas, Adult Halloween costumes, and Free pumpkin pattern, can return search results with malicious links.
Blue Coat said clicking on the infected link lands users on a page hosted within a hacked blog, which then redirects users to a malware distribution site. Users are presented with a download for an executable file with a name that was constructed based on the original search term, said Blue Coat. For example, users typing "Regis and Kelly Halloween show" in the search engine will see a filename like "regis-and-kelly-halloween-show-2009-to-play-40064," or "office appropriate Halloween costumes" returning "office-appropriate-halloween-costumes-to-play-40064," said Blue Coat.
According to the screenshot of malicious search results posted on the Panda Labs blog, the listed URL looks legitimate, with phrases like "halloween-costumes" embedded in the URL, and the page name also looks relevant, such as "Viking Halloween costume." The description is a giveaway, since it seems to not have anything to do with the page.
According to BitDefender, "If you're planning to find templates for Halloween invitations, or if you're trying to find a print shop for what you already have, then you should keep an eye on what search results you're about to click."
Khetarpal advised users to manually type the Web site URL, instead of just clicking on links displayed on the Google search results page. For example, if the search results page show a Halloween costume at Target, users should type target.com in the address bar and search within the store's Web site instead of clicking on the link directly. This way, users won't be re-directed to an infected site, Khetarpal said.
"Users should only click trusted links or type in the site address they want into the search bar," he said.
Spammers and hackers often take advantage of current events, popular trends, and holidays like Halloween to target users. For example, there tends to be surge in the volume of spam with Super Bowl-related subject lines. According to Khetarpal, holidays and celebrities are "hot topics" and "prime targets" for malware authors.
Khetarpal and other security experts advised users to verify they have a security software suite installed on the computer before going online, let alone searching for something. The suite should be updated to its most recent version, and the operating system should be patched with the latest updates, they said.