ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

9/11 related keywords hijacked to serve scareware

By | September 11, 2009, 12:30pm PDT

Summary: Anticipating the logical peak of 9/11 related keywords on the 8th anniversary of the attacks, cybercriminals have hijacked the trending topic by occupying thousands of related keywords for the purpose of serving fake security software. None of the sites are currently marked as harmful by the SafeBrowsing initiative, due to the evasive tactics applied in the [...]

Anticipating the logical peak of 9/11 related keywords on the 8th anniversary of the attacks, cybercriminals have hijacked the trending topic by occupying thousands of related keywords for the purpose of serving fake security software.

None of the sites are currently marked as harmful by the SafeBrowsing initiative, due to the evasive tactics applied in the campaign, with the majority of them already appearing within the first twenty results.

Is this a deliberate 9/11 themed blackhat SEO campaign, or is it “blackhat SEO for scareware serving purposes as usual” type of campaign?

The very same Ukrainian cybercrime group — detailed assessments of their ongoing campaigns confirm their use of Google Trends — that was recently hijacking Obama Speech related keywords next to U.S Federal Forms keywords, is also the same group behind the current 9/11 themed campaign.

Whereas it would first appear that they are very good at picking up trending, and very recent topics manually, the reality is that the process is completely automated, and has been for the past couple of years. This dynamic traffic hijacking in a near real-time Web is already undermining the usefulness of static lists of “dangerous keywords” or “dangerous celebrities” to search for.

Compared to previous blackhat SEO campaigns, the campaigns launched by this group over the past couple of months indicate a lot of planning activities taking place before launching it. For instance, the malware, the redirection domains and the scareware domains are rotated once or twice every 24 hours in an attempt to increase the campaign’s lifecycle.

The latest campaign is pushing Scanner-137082_2007.exe, and while its generic detection rate will inevitably improve, not falling victim to a scam that’s selling non-existent security software, remains the best move.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Malware, 9/11 Commission, Keyword, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
11
Comments
Add Your Opinion

Join the conversation!

Just In

RE: 9/11 related keywords hijacked to serve scareware
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
I don't use Google Trends. I type google.com without thinking about it.
Grayson Peddie 11th Sep 2009
Other than that, it's kind of scary. sad
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
lovedong 13th Sep
Thank you! Very pleased you appreciate us. happy replica watches
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
PEARLINEI 12th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite The articles you have on zdnet s i t e are always so enjoyable to read. Good work and I bookmarked it.
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: 9/11 related keywords hijacked to serve scareware
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix