Attackers have set their sights on holiday shoppers searching for leaked Black Friday ads, creating malicious sites that appear on search engine result pages, according to a Nov. 18 alert by SonicWall. The security warning comes as shoppers prepare for the 2010 holiday shopping season.
Security experts at SonicWall UTM Research discovered “polluted” results appearing in search engine results for holiday shopping-related terms in advance of Black Friday sales next week, the company said. These links take users to a malicious site that tricks users into downloading malware.
The terms include “Walmart Black Friday Sales 2010,” “Black Friday” and “Cyber Monday,” according to researchers.
Cyber-criminals view popular search terms as a lucrative target as the terms reflect what people are interested in. In the advent of the holiday shopping season, consumers are searching online for the best deals and discounts, so it goes without question that hackers are “going to try” to take advantage of that traffic, according to Fred Touchette, a senior security analyst at AppRiver.
Criminals create pages that are highly search engine optimized with keywords reflecting currently popular search terms. They also seed keywords and links as comments to boost the malicious pages’ search engine rankings, “even if it’s for an hour or two, as they will be driving traffic to those pages,” said Touchette.
Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms.
SonicWall identified a two-pronged attack, varying by the user’s browser type. Clicking on one of the malicious links redirects the user to another page with embedded JavaScript code that checks the user’s Web browser. The next step varies by browser, SonicWall said. Users with Internet Explorer are redirected to a fake antivirus landing page claiming the computer is infected by several Trojans. Firefox users are redirected to a fake update page suggesting the user’s Flash player is out of date: “Firefox is outdated, also your current version of Flash Player can cause security and stability issues. Please install the free update as soon as possible.”
The fake Flash update file downloads the fake antivirus onto the computer and modifies the user registry so that the Trojan runs during system startup, said Deepen Desai, senior researcher for the threats team at SonicWall. It also posts “confidential data back to remote servers” and redirects the browser to open more pop-up windows, said SonicWall.
The infected machines are sending encrypted data back to a specific site, said Desai, adding that team is still decrypting the data, but it “looks similar” to the InfoStealer Trojan activity.
Mac OS X users using Firefox and Internet Explorer will encounter the same malware, and it can be downloaded on to the Mac if they click on those links, according to Touchette. However, they are not likely to execute on the Mac, said Desai.
According to both Desai and Touchette, varying the malware attack based on the browser the user is using is a common tactic. The attacker is “maximizing the number of potential victims” by “customizing” the behavior to browser-specific vulnerabilities, said Touchette.
The returned search results have titles like “Walmart Black Friday 2010” and the same phrase embedded in the URL string, according to the screenshot of malicious search results posted on the SonicWall site. Since many of the sites are already known to be malicious, Firefox and Google are able to flag the links accordingly.
Hackers are also using Best Buy-related search terms, such as “Best Buy Black Friday 2010 deals,” to push a fake antivirus software called “Internet Security Suite,” according to security company Thirtyseven4.
Researchers at Sunbelt Labs also noticed that search terms for free holiday e-cards (“free cards to print”) directed users to a fake antivirus called FakeVimes.
“As the days draw closer to Black Friday, we will certainly see an increase in activity involving these tactics,” said Steven Sundermeier, owner of Thirtyseven4.
Spammers and hackers often take advantage of current events, popular trends and holidays such as Halloween to target users. For example, there was a surge in malware activity right after the earthquake in Haiti, said Touchette.
Security experts recommend making sure that the operating system, browsers and security software are up-to-date and enable secure browsing on the Web browser before going to unknown sites. Their recommendation for looking at and verifying links get a little dicey with the proliferation of URL shorteners like bit.ly that create nonsensical strings with numbers and letters. When possible, users should manually type the link into the browser, and search for deals within the retailer’s own site. CyberDefender suggests using encrypted search, such as Google SSL (https://www.google.com), instead of classic Google (http://www.google.com).