The Latest in IT Security

Blackhat spam SEO leading directly to a virus download


Attackers usually use some form of social engineering technique to fool users into downloading and executing a malicious executable – they scare users with a fake antivirus page, they present users with a video that requires a new software or codec update, they claim the user’s browser or Flash version is out of date, etc.
Last week, I found several Google search results for popular terms leading directly to a virus download. The following 6 domains were hijacked by attackers:


When users click on one of these domains in a Google search result page, they are redirected to another domain. This new page ensures that the request has been received from a live user with a web browser. This is accomplished by looking at the user agent and at the Referer value (does the user come from Google?). If the test is successful, the user is then redirected to or

These 2 domains serve an executable with the name It is detected as malicious by only 5 AV vendors out of 42.

Virustotal result page

All the redirections are done through HTTP 302 redirections, so no new page is shown to the user. As a result, users may think the file download was done from Google, because it does not appear that they left the Google search result page. This is the “trick” the attackers rely on to ensure that users trust the executable file, in addition to the name which looks like a domain name rather than a file name.

Malicious file download attempt

Once again, the best protection, and often the only one, is to educate users to not download and install any file unless they fully trust its origin, and explicitly requested the download.
— Julien

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments