SEO Poisoning Piggybacks on McAfee Update Glitch

After a flawed AV update issued by McAfee left thousands of the security company’s customers scrambling to get their systems re-configured and back running normally, scammers have predictably moved to attempt to cash-in on the situation.

As first reported by security researchers with ESET (a McAfee rival), malicious search engine optimization techniques are now being employed heavily by attackers seeking to cash in on the McAfee snafu.

The wave of activity, aimed at infecting the endpoints of people looking for information on the AV update mishap, has become “fiercely concentrated” over the last day or so as the issue has been widely publicized, ESET researchers noted in a blog post.

According to work credited to Juraj Malcho, head of ESET’s lab in Bratislava, Google searches for information about the McAfee hiccup currently return as many as three malicious hits in the top ten search results, and 11 in the top 20.

“Subsequent searches using different search strings are finding even more hits, so right now, Google is well and truly poisoned,” ESET experts said in the piece.

Among the infected results showing up are those with the titles such as “Mcafee Dat 5958” or “Mcafee 5958”, which specifically invoke the naming convention associated with the involved AV update, but this has changed over the last day, and “will no doubt change again,” the researchers contend.

Most of the poisoned results redirect users to sites which predictably encourage people to download fake AV programs, which actually themselves contain Trojan threats.

Some of the specific attacks being tracked to this end by ESET include Win32/Adware.VirusAlarmPro, a variant of the Win32/Kryptik.DWC Trojan and the Win32/TrojanDownloader.FakeAlert.ALW Trojan.

ESET researcher Cristian Borghello was also credited with some of the reported findings.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.