The Latest in IT Security

Converting currency on Google can lead to malware attack

20
May
2011

Euro and dollarOne of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.

So he did what any of us would probably do. He Googled it.

215 euro to usd

Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:

Euro to USD currency conversion search results

It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.

Euro to USD currency conversion search results

What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.

The good news is that Sophos can offer a layered defence against this attack.

The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.

The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.

Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.

Neat!

We see online criminals poisoning search engine results using blackhat SEO techniques a lot.

Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.

SEO poisoning technical paper

It’s a great read. Check it out now.

Leave a reply


Categories

SATURDAY, NOVEMBER 18, 2017

Featured

Archives

Latest Comments

Social Networks