More than 100 websites compromised for Blackhat SEO strategy

We have noticed a new case of blackhat SEO used by cybercriminals to distribute their backdoors and to gain as many victims as possible, by driving specific users traffic (by hijacking keywords in search engines) to malicious websites that contains hidden iframes, evil javascript codes, and other sorts of malicious code, that redirect the users to other dangerous websites that distribute rogue software and trojans.

Screenshot of Google results

Rogue security software distributors have recently started a campaign to hijack traffic that come from keywords related to an anime/cartoon named Bleach in particular to the episode number 244. In our analysis we have found more than 100 websites compromised with scripts that capture the keywords of the users and then redirect the users to rogue software websites, or to other websites that distribute trojans as false video codecs. Users are also redirected to pages that display a false scan of their computer, stating that the user has an infected computer and that they need a special program to delete the infections.

This program that is distributed by these malicious websites is in reality a false antivirus that other than installing a completely false security program, it also installs other backdoors that can steal important and private data from the victim’s computer.

Below there are some screenshots of malicious webpages that we have encountered during the analysis, that display false pages that state our computer is infected by viruses, or that offer the download of false video codecs:

Screenshot of a false video codec

Some websites were infected by evil javascript codes that were redirecting users to other malicious websites that could install various trojans and rootkits on the user’s computer. We have decrypted some javascript codes and this is where the scripts were redirecting the unfortunate users:

Screenshot of decoded script

Screenshot of malicious domains

The above malicious websites contain other redirections to other websites that distribute rogue software named Antivirus 2010, SystemVeteran and Internet Antivirus Pro that are all false security software. There are also hidden iframes that redirect the users to another very dangerous websites that exploit various vulnerabilities of web applications and web browsers installing trojans and rootkits in the user’s computer.

Most compromised websites, if visited a second time by the victim without the referer of a search engine then there is a script that changes the “Location: ” of the http headers to the CNN.com website and the users are redirected to the legit website of CNN:

Screenshot of Internet traffic

The structure of the links of the malicious websites that hijacks the keywords in the search engines is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/?q=keyword
/?page=keyword
/ssl.php?t=keyword
/index.php?a=keyword
/dfd/index.php?a=keyword
/rew/index.php?a=keyword
/gtr/index.php?a=keyword
/gde/index.php?a=keyword
/?clo=keyword
/?t=keyword
/in.php?t=keyword
/logon.php?page=keyword
/log.php?page=keyword
/images/?page=keyword
/?kkk=keyword
/mxbb/?kkk=keyword
/?topic=keyword
/faq.php?t=keyword
/seed.php?keyword
/shop/images/?t=keyword
/shop/images/?page=keyword
/shop/images/?a=keyword
/shipping.php?p=keyword
/?tost=keyword

Random Posts

Previous Posts