Cristian Borghello, Technical and Education Manager at ESET Latin America, tells us that they've noted quite a few sites that pretend to provide information on the fire crisis in Athens, Greece, but actually download malware onto the user's PC. (Mistakes in translation are down to DH!)
The criminals are using Black Hat SEO (Search Engine Optimization) techniques such as keyword stuffing and hidden text so that search engines will present their sites at or close to the top of the listings in response to keyword searches relating to the fires.
If the user enters one of these sites, he will be redirected through several domains and, in the last of them (http://removeallthreat [ELIMINATED] .com) he will end up downloading malware of the rogue antimalware type that ESET products detect as Win32/Adware.Antivirus2009.
As can be seen in a screen dump shown in the ESET Latin America blog page at http://blogs.eset-la.com/laboratorio/2009/08/23/fuego-atenas-pretexto-para-infectar-usuarios/, several intermediate sites exist that are only used to trick the search-engine and the user into accessing the final page, which always contains malware.
The bad guys make very frequent use of these techniques, using topical events that attract the attention of the media and people in general as social engineering bait to reel in their victims.
Overnight, ESET Latin America have found other domains that use the same techniques and download similar malware:
- removeallthreat [ELIMINATED] .com
- removepc [ELIMINATED] .com
- scan-my-PC [ELIMINATED] .com
- remove-PC [ELIMINATED] .com
- homevirus [ELIMINATED] .com
- scan-your-PC [ELIMINATED] .com
ESET Latin America advise caution in accessing sites purporting to offer topical information and look out for these particular domains: if possible, block traffic from these sites using firewalls and proxies.
David Harley
Director of Malware Intelligence
