ScanSafe detects malware that can affect search engine results pages to plant malicious links

News by Dan Raywood

Malware that hits browsers and affects search engine results pages has been detected.

Malware that hits browsers and affects search engine results pages has been detected.

 

Mary Landesman, senior security researcher at ScanSafe, claimed that she had been tracking malware that incorporates Black Hat search engine optimisation techniques to manipulate Google search engine results pages.

 

Landesman claimed: “Because of the nature of how the attacks work, the rate of the attacks have been increasing exponentially and have now grown considerably large.

 

“The attacks are perpetuated through the compromise of legitimate sites. Once a visitor to a compromised site has been infected with the Trojan, any sites that they manage will then also be susceptible to compromise.”

 

 Though stolen FTP credentials appear to be the most common method employed in these particular attacks, compromise can also occur via standard methods, such as poor configuration settings, vulnerable web apps, and so on.”

 

Landesman explained that the malicious script embedded during the compromise is usually placed on either a .js or .php file rather than directly on the default home page for the site, which could enable the signs of the compromise to bypass casual observation.

 

So when web surfers visit one of the compromised sites, the embedded script leads to a cocktail of PDF, Flash and MDAC exploits which result in the creation of an executable and two batch files that ensure the executable gets moved and renamed.

 

When any sound-enabled application, for example a browser, is launched the malware is enabled. The malware monitors traffic to and from the browser and is then able to steal usernames and passwords and other sensitive information.

 

When infected users perform certain Google searches, the search engine results page is manipulated so that affiliate links replace the legitimate links. Cookie stuffing is used so that the links presented appear normal, where the affiliate ID is not exposed, but the rogue affiliate gets full credit for the unintended click through.

 

Landesman said: “Given the escalation of these attacks, it appears that someone is making a great deal of money.”

 

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events