Google Video search results poisoned to serve malware
During the last couple of days, a single group involved in a countless number of blackhat SEO campaigns across the Web, started massively targeting Google Video with a campaign that has already managed to hijack approximately 400,000 search queries in order to trick users into visiting a bogus and malware serving (W32/AutoTDSS.BNA!worm) adult web site.
Here's how the campaign works, and how they're attempting to cloak it from the eyes of security researchers.
Moreover, based on the fact that they maintain a portfolio of 21 publisher domains with bogus and non-existent video content currently crawled, a simple tactic that they're using could entirely hijack a search query at Google Video. How come? By simply duplicating the content on their publisher domains, the top 5 search results for a particular video can be easily served from any of the 21 publisher domains, making it look like different sites have the same content.
The search engine results poisoning works as follows. Upon clicking, a Google Video user coming across to any content from any of their 21 publisher domains, is taken to a single redirection point (porncowboys .net/continue.php), then to the well known adult site template abused by cybercriminals (xfucked .org/video.php?genre=babes&id=7375), where the user is told that "Your Flash Version is too old. Your browser cannot play this file. Click "OK" to download and install update for Flash Video Player" and the malware is served if he's tricked into it (trackgame .net/download/FlashPlayer.v3.181.exe).
Google's Security Team has been notified and action is expected to be taken anytime now.