Careful where you click!

The Heimdal Security team has observed a blackhat SEO campaign that is currently being delivered by using compromised web pages and dozens of script injections. Attackers have poisoned Google search engine results so that users would unknowingly land on malicious web pages by simply looking for information.

Some of the targeted keywords include Java JRE, MSN 7 and Windows 8, accounting for hundreds of thousands of searches each month. Here is an example of such a result, and you can see more below, in the provided printscreen:

http://mortalitymc [.] com / index.php? threads / sun-java-1-5-jre-download.119419 /

Blackhat SEO Campaign Passes Around Malware to Unsuspecting Users (1)

Here is a sample of the compromised web pages, which have been injected with malicious code to spread malware to unsuspecting users’ machines (sanitized by Heimdal Security):

http://www.mypromediastoreone [.]com/00002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

http://www.mymediasearchnowone [.]com/000000002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

http://www.smartmediafinderone [.]com/02954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

http://www.mydigitalfinderone [.]com/02954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

http://www.newfastmediasearchertwo [.]com/000002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

http://www.smartmediafinderone [.]com/02954/download.php?id=2954&sid=sb-110&name=Descargar+Java+Runtime+Environment+Windows+8+64+Bits

http://www.mydigitalfinderone [.]com/00002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+1.6+0+64+Bit+Windows+8

http://www.mymediasearchnowone [.]com/00000002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+6+Windows+8+64+Bit

http://www.newfastmediasearchertwo [.]com/0002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+7+Windows+8+64+Bit

http://www.mydigitalfinderone [.]com/002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+1.7+Windows+8+64+Bit

http://www.newfastmediasearchertwo [.]com/00000002954/download.php?id=2954&sid=sb-110&name=Java+Runtime+Environment+Windows+8+64+Bit

On these pages, the victim is lured through social engineering techniques to install a Java JRE package, which is, of course, corrupted with malware.

Blackhat SEO Campaign Passes Around Malware to Unsuspecting Users (1)

Blackhat SEO Campaign Passes Around Malware to Unsuspecting Users (3)

The same cyber criminals behind this attack are also currently deploying another attack: they are leading users to web pages with pornographic content that are contaminated with Angler exploit kit that force-feeds the machine with malicious code.

Blackhat SEO Campaign Passes Around Malware to Unsuspecting Users (2)

What you can do to stay safe from such cyber threats:

Google has already been notified and the results will probably be eliminated from the results pages soon, but until then we recommend you:

Drive-by Download Attack – What It Is and How It Works

Security Alert: GootKit, Godzilla Infostealers Go For Financial Information

Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign


In fact no matter if someone doesn’t know after that its up to other users that they will help, so here
it occurs.

Leave a Reply

Your email address will not be published. Required fields are marked *