NEWS FROM THE LAB - Wednesday, September 30, 2009

Samoa Earthquake News Leads To Rogue AV Posted by WebSecurity @ 08:03 GMT

It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii.

Readers looking for news articles on the earthquake may come across this page in the Google search results:

Samoa earthquake, Google

On clicking the link, the user is redirected to a series of sites via 302 redirects:
Samoa earthquake redirect
The final landing page warns the user that their "system is infected":

Samoa earthquake, Rogue AV

The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software.

As usual, be careful when browsing. These websites are blocked by our Browsing Protection.


Updated to add: Looks like tweets are also being used to direct people looking for tsunami news to rogue AV. Searching Twitter with the term "tsunami" turned up the following tweet:

Samoa earthquake, Twitter

Which lead to the following message:

Samoa earthquake, Twitter

How nice, a free system scan. Then a notification that "Your computer is infected" appears:

Samoa earthquake, Twitter

Note that the whole "folder" is really just an image. Users then get messages asking them to download a rogue AV to clear the supposed infections.

Web Security post by — Chu Kian & Choon Hong