Image by slworking2 via FlickrWhen I heard of Corey Haim‘s death, shortly after fond recollections of License to Drive and The Lost Boys cinema moments, I wondered how soon the unfortunate news would be used in the spread of malware. Well it didn’t take long. Hours after the announcement of Haim’s death, search results for his name came up with domains used to spread rogue antivirus software.

Using search engine optimization (SEO), online criminals force their malware hosting sites into higher billing slots within search engine results. Often a series of redirection sites are traveled through by the user before the final malicious domain is contacted. This creates a level of separation from the actual malware and allows a variety of domains to be constantly created, altered, and moved around, evading detection and termination. Using timely and highly popular topics of interest. domains referring to these topics stay in the leading search engine results. Recent topics covered in SEO campaigns include the Haiti disaster, the Olympics, the Oscars, and unnamed Facebook applications.

So why do these attacks work so well? Amazingly there is still a level of trust by users for top resulting sites of search engine queries. It is common for people to see familiar sites time and again on the first page of search results, and popular sites deemed primarily benign usually take dominant billing. Perhaps this is why folks rarely question clicking on the initial links provided by their favorite search engines. They hadn’t been burned in the past when trusting the top resulting URLs, so why should they now question the validity and intention of every suggested link? Malware is why.

I don’t always keep up with the latest events, but with a little social interaction and casual reading I hear about most events I find interesting and usually several others I don’t, all within a reasonable amount of time. When I want to receive my news from a specific source I usually go to one location online or watch Robin Meade on HLN in the mornings. (There’s no such thing as bad news when Robin reads it.) I use search engines like everyone else to gather information on various inquiries but I don’t do grab bag research, blindly clicking on any keyword matching domains. I’ve never used the “I’m feeling Lucky” button because I never felt that lucky about randomly visiting unknown domains across the internet, and I certainly don’t want to be a punk. (nod to Dirty Harry in case that was missed)

Choosing a default news site to read about all things newsworthy would seem to be an obvious point to suggest here, just as a safety precaution. However, the simple facts behind these breaking stories are not commonly what people are after. There is usually a promise of a sex tape or footage of a celebrity’s death, which can’t be found on CNN. What they can’t find on news sites is what sends users searching, which is ironic because most people only go searching for this bonus material after reading about its availability outside of regular news sites. Maybe news site restriction or loyalty would keep more users safe from attack. But then there’s always Facebook and Twitter and forums/comment/email spam to shield your eyes from as well.

When I want to know what people are searching for I go to Google Trends: http://www.google.com/trends. I assume this is what criminals intent on spreading their malware also do. Topics that are “On Fire” and “Volcanic” are being queried the most and make for prime targets. If you want to try a little safer searching, wait for topics to cool down a little before clicking around. Even better, find a news site you trust and go there for your news. Anything outside of seeking the facts may just land you in some fire of your own.

Matt Sully
Director
Threat Research & Analysis