The Threat Prevention Team at Colorado-based eSoft has been tracking compromised sites that host PageRank Bombs since 2008. Initially, the attacker would hack a site, but instead of putting exploits on the hacked site, they put links to other websites (such as ad, porn or pharmafraud sites) in order to boost the search result ranking on various search engines. Now, however, it is being used to boost the results of malicious sites, but with a new twist that targets Google users.
The sites whose search engine rankings are being boosted are now serving up malware through a complex series of redirects. However, the redirects and the malware only occur if the user gets to the site after clicking the link on Google. Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.
For example, going directly to the website, hxxp://adoptabeach.org/zzbtw/colzw/leaders.php, gives you an innocuous page. However, using Google, a search for “nhl all-time scoring leaders” returns several malicious results on the first page (in the 5th, 6th, 7th, 8th and 10th positions).
Clicking the link in the Google search results will bring the user to a website using a common Rogue Anti-Virus template that alerts the user that their PC is infected and asks unsuspecting users to download what is really a Trojan. The Trojan being downloaded at this point has only a 7% detection rate by anti-virus software with Microsoft, NOD32 and Panda detecting.
As far as eSoft’s team can tell, the referrer must have the string ‘google.com/search?q=’ in it and the User-Agent must indicate a Windows machine or the malware will not be delivered. It does not appear that users of other search engines or operating systems are yet being targeted.
Some of the sites being used include:
hxxp://shanthkherath.com
hxxp://adoptabeach.org
hxxp://advertising-made-easy.com
hxxp://shanthkherath.com
hxxp://adoptabeach.org
hxxp://advertising-made-easy.com