Two weeks ago we wrote about search engine optimization (SEO) being used to return malicious links in search engine queries. These links lead to a website that pretends to scan your computer and claim that you are infected with malware. The user would then be asked to download a rogue antivirus program to remove the malware.
This same SEO campaign is still ongoing and is causing links to be inserted into millions of innocent searches. These links can be recognized by the text "CLICK HERE! INFO ABOUT:". The links can turn up in just about any search but are usually not on the first page. It takes a more precise search such as one using Google's 'past 24 hours' option to get one of these links in the top 10 results. Yahoo and MSN search and presumably others are also returning these links in search results.
As an example, say you wanted to get the weather forecast for the UK, and did a Google search for “weather forecast UK” over the past 24 hours. The very first result that comes up is one of these malicious links.
Or if someone wanted to find information about skiing in Alaska, the third result here would take you to one of the rogue antivirus sites.
The links take you to the website below which attempts to convince users to install Antivirus XP 2008. The 'scan' is fake and is just animated using JavaScript to make the user think their system is being scanned.
Searches for more obscure subjects or misspelling keywords often results in more of these malicious links as they have less legitimate websites to compete against.
Using Google’s Insights for Search tool we can see how often people have searched for "remove xp antivirus 2008" over the last several months. This gives an indication of how fast this rogue antivirus product is spreading.
(The number of searches have been normalized and scaled to between 0 and 100)
