Christmas Day Bomber Gives Boost to BHSEO Campaigns

Since Christmas, several black hat search engine (BHSEO) campaigns targeting subjects of interest of netizens have been evolving. Security researchers are now warning that cybercriminals have poisoned the search results for the entry "Christmas Day Bomber" to distribute scareware (rogue security software).

It is learnt that on December 25, 2009, Umar Farouk Abdul Mutallab, a 23-year old Nigerian national, boarded Northwest Airlines Flight 253 destined from Amsterdam to Detroit. Media later reported that the Nigerian supposedly tried to detonate a bomb on board. As soon as the news started spreading, cybercriminals seemed to have abused the news for their malicious intent. These criminals are always closely watching all the latest news events around the world.

Expressing his view on the issue, Akhil Menon, security researcher at CA, wrote that search for this news results in several links related to the event, reported Softpedia on December 30, 2009. But first few results contain maliciously created links that take user to bogus scan pages that, in turn, tries to deceive him into downloading and installing scareware on their PCs, he added.

Rogue security software or scareware are those computer applications that pretense as anti-virus programs and repeatedly pop fake security alerts about non-existing infections on the computer. The ultimate aim is to dodge users into making payment for a license fee for an entirely useless piece of software.

The malicious link optimized by cybercriminals here carries a malicious binary "WinProtectionUpdate_15.exe", which if allowed to execute, results in the downloading of scarware called Total PC Defender. CA products have identified the scareware as one of the variants of Win32/TotalPCDefender.

CA security researchers have also noticed an interesting fact related to this BHSEO assault that it tries to push multiple scareware onto the PC of the unsuspecting user. Other scareware installers discovered belong to Security Tool and PC Live Guard, and are identified as Trojan Win32/SecurityTool and Win32/PCLiveGuard variants respectively.

Internet users are highly recommended to access content only from reliable sources and to install a trusted and updated anti-virus solution.

Related article: Christmas Spam Most For Aussies

» SPAMfighter News - 1/12/2010