Be Careful What You Search For

We have discovered several Search Engine Optimization (SEO) schemes that are being used to improve the ranking of web pages in search results. This gives the web pages a higher number of visitors than they would otherwise get. The goal of these dubious search results is to draw high volumes of unsuspecting web users to web sites where they are then bombarded by scare tactics into purchasing malicious fake anti-virus software under the guise of useful security software.

In this blog, we highlight how one of these SEO schemes operates. This particular scheme uses the following domains:

peziueued.xorg.pl
bicoamigq.xorg.pl
ubiuexiia.xorg.pl
diaecvigm.xorg.pl
usouczfuu.xorg.pl
olaeyugfj.xorg.pl
uvgbajiio.xorg.pl
idroeaupa.xorg.pl

A Google search for one of these domains returns the following results:

Each search result is for a different page focusing on one particular key word or search term. Anyone searching for one of these search terms may find one of these pages within the search results. By using hundreds or thousands of search terms the people behind this scheme can generate a large amount of traffic to their web pages.

The page shown below is what you would see after clicking on one of these search results and you had JavaScript turned off. With JavaScript enabled you would either see a fake 404 Not Found page or would be redirected to a second web page as we will soon show.

This page has many links to itself and other similar web pages on the same domain. Each page focuses on a single search term such as Franchise Tax Board in the example above.  This is part of the SEO process to increase the page’s ranking and the ranking of those it links to.

These pages use a meta tag that tells search engines (robots) not to cache the content using the NOARCHIVE attribute. Each page also includes a script located on another domain containing an eval expression:

When this runs it evaluates to the following JavaScript code:

This code checks the current page’s referrer to see if the user arrived at the webpage via a search engine. If the user didn’t get to this site by clicking a link in the search results of a search engine then a false 404 not found error page is displayed.  If the referrer looks as if it did come from a search engine then the user’s browser is sent to a second website. These websites then use a 302 redirect to send the browser to the final destination:

This is a well known page designed to scare people into downloading a fake anti-virus program. In this case after downloading the install.exe file our test system was infected with the rogue anti-virus program shown below.

The other similar schemes we have seen also attempt to scare users into installing various fake anti-virus products.