Federal forms themed blackhat SEO campaign serving scareware

Federal forms themed blackhat SEO campaign serving scareware

Summary: An ongoing blackhat SEO (search engine optimization) campaign is actively hijacking a variety of U.S Federal Forms keywords in an attempt to serve the Personal Antivirus (Trojan.

SHARE:
4

An ongoing blackhat SEO (search engine optimization) campaign is actively hijacking a variety of U.S Federal Forms keywords in an attempt to serve the Personal Antivirus (Trojan.Win32.FakeXPA) scareware.

Due to the automated and sophisticated PageRank boosting tools cybercriminals use in these campaigns, the hijacked keywords are always popping-up within the first ten to twenty search results for a given keyword.

Let's analyze the campaign, and discuss how are they capable of bypassing Google's SafeBrowsing blacklist.

Compared to previous real-time (news headlines and swine flu themes) blackhat SEO campaigns launched during the last couple of months, this one is relying on a pre-defined set of legitimate applications and U.S Federal forms. The following list is a sample of some of the keywords used:

Irs 8905, Printable Ohio Individual Tax Form, Wisconsin State Ammended Tax Form, It 1040 Ohio Form, Federal 1040ez Form, 1040 Ez Online Form, Wi 1040 Ez, 1040 Tax Form Download, Virginia Health Life Insurance License Form, Commercial Lease Offers Application Form, Free Medical Durable Power Of Attorney Form, Georgia Driving History Request Form, Parcar Warranty Claim Form, Uc 101 Form, Estate Waiver Form, Postnuptial Agreement Form, 403 B Salary Reduction Form, Copy Of Living Will Form Fl, Petition Divorce Form Oklahoma Free, Rental Agreement Form Oregon, Alaska Form Expected Death At Home, Application Form For Callas Reward Card, Celebrities Form Bretagne France, Annual Emeritus Parking Authorization Form, 540ez Ca, Illinois State Form 1040, Ira Form 8863, Income Tax Return 1040ez Form, 1096 Form Tax, Kerala Medical Examination Form, Cayman Islands Visa Form, Ohio Tax Exemption Form, Free Printable Tax Forms 1099, 1040 Tax Form Printable, Gsa Form 3503 Form Fillable, Change Of Schedul Form 3189 Uspostal, Medical Treatment Form Ohio, Default Form Louisiana Parish Preliminary Vernon, Client Interview Form Unlawful Detainer California, Nonresident Form Hawaii Vehicle

Based on the variety of keywords used, it's pretty obvious the cybercriminals behind it are attempting to exclusively hijack U.S traffic.

It's worth pointing out that they've apparently managed to trick Google's Safebrowsing blacklist on the true nature of the sites' content. How did they do that?

By using some well known evasion practices in their arsenal, in this case it's a combination of web content cloaking and http referrer checking. Basically, they detect a Google crawler and serve legitimate blackhat SEO optimized content to it, however, since the crawler isn't using a http referrer, the cybercriminals only serve the scareware to someone who's directly coming from Google's search engine, and a 404 error to those who are basically clicking on the links without a valid http referrer.

Disruption of the campaign is in progress.

Topics: Security, Browser, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Linux for safety

    They seem to be only trying to serve Windows scareware, so running
    Linux on line avoids the problem.
    gertruded
    • ABW

      Anything But Windows will do.
      This means that Linux, Solaris, Mac OS X, and all
      the other UNIX or UNIX-like systems available.
      Mikael_z
  • RE: Federal forms themed blackhat SEO campaign serving scareware

    It's not just purveyors of malware doing this. It's also
    sites pushing more or less legit adware. The more popular
    a topic becomes, the more one sees more and more adware
    sites on top of a search result.
    aseries
  • RE: Federal forms themed blackhat SEO campaign serving scareware

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut