NEWS FROM THE LAB - Tuesday, September 15, 2009

Swayze Spam Posted by WebSecurity @ 08:39 GMT

Within hours of the reported death of movie star Patrick Swayze, our Web Analysts saw the first wave of spam related to the event.

When people search for news of the star's passing in Google, randomly checking the search results leads them to a "news report" such as this:

Swayze Death

Which suddenly displays this:

Swayze Death

Oh oh. Looks like SEO poisoning is being used to hit the user with a rogue AV's "invitation". The user then gets shown an image (not the user's actual folder, just an image) like this:

Swayze Death

Any mouse action on the image ends with the installer being downloaded.

One interesting detail is the rogue AV website includes a "geoip.php" that seems to be recording the city and country origin of each incoming connection. Could be for statistics tracking; it also seems to redirect anyone going back to the website for a second look, so you can't return to the exact same page.

This probably won't be the only rogue AV website to take advantage of Swayze's death to trap users. F-Secure users are protected from this threat, as the download links are already identified and blocked by the Browsing Protection service.

Swayze Death, Blocked

WebSecurity post by — Chu Kian