The World Cup is an Infectious Sporting Event!

Our research colleagues in South America have found that there is considerable effort by the bad guys to try to infect your computer when you search for information about the 2010 world cup games. Specifically, if you are searching for free tickets. The bad guys know that people searching for free tickets to the World Cup will click on anything, including the links to their malicious sites in the quest for the non-existent.

The original blog is in Spanish and is at http://blogs.eset-la.com/laboratorio/2010/05/20/mundial-futbol-2010-te-puede-infectar/. I’ll try to give you a feel for the blog, but my Spanish is not up to the task of translation, and neither is Yahoo’s Babel Fish. The phrase Blackhat SEO was translated to Blackhat Cathedral. I guess that for the bad guys, SEO is a holy place!

So, roughly translated and with some of my own commentary…

In only a few minutes our Latin American team was able to find cases where searches about the World Cup, to be held in South Africa next month, returned links to malicious web sites that try to infect users.

This means the criminals are successfully using Blackhat SEO techniques to get their sites high up in the results of searches related to the World Cup. Their goal is to infect millions of users who are interested in this major sporting event.

A person performing such searches is likely to encounter results such as those pictured below, where the top four results lead to websites trying to install malware.

If you click on one of those results you will be redirected to a web page that offers a fake “Windows Security Center” notification, a technique that is widely used to install rogue antivirus software on the computers of the unsuspecting. If you close the browser at this point you are ok, but if you follow the instructions in the dialog box and click on “Protect” then you have actually selected “Infect me!”

Of note, if you manually enter the search results in your browser you will be taken to the CNN website. The reason for this is that the techniques used will only lead to the infected web pages if the link comes from the Google search results. The goal in using this technique is to make it difficult for the good guys to track down the malware and bad web sites.

If you are using NOD32 or ESET Smart Security you would immediately be prompted that ESET has detected a Trojan, such as HTML/TrojanDownloader.FraudLoad.NAC.

With less than a month before the World Cup, the attackers have really stepped up their efforts to come in at the top of searches related to this popular event.

Always keep in mind that if you are searching for something that is big in the news, there is a criminal trying to make you find his malicious web site so as to spread malicious programs. Search with caution, be alert, and remember, when you land on a web page that says your computer is infected, it is time to close your browser.

Many thanks to Cristian Borghello and Sebastián Bortnik from the Laboratory of ESET Latin America.

Randy Abrams
Director of Technical Education