Written by: Oscar Celestino Angelo Abendan ll

Background of the Attack

Last March, the twin bombing attack in Russia shocked the world when two female suicide bombers blew themselves up in Moscow subway stations. Cybercriminals used this unfortunate incident to spread a FAKEAV variant using blackhat search engine optimization (SEO) techniques.

Search engines like Google are usual vectors for this type of threat. Worth noting is the fact that even social networking sites with search options such as Twitter was found to generate poisoned results due to blackhat SEO.

How does this threat get into users' systems?

Users who use Twitter's search function can come across a poisoned search result, which can eventually lead them to malicious sites that host TROJ_FAKEAV.SMDY.


How does this threat affect users?


Clicking any of the poisoned search results redirects users several times until they see a fake scanning page. This tells users that their systems are vulnerable to malware attacks and recommends that they scan their systems for infections. Agreeing to install the rogue antivirus downloads TROJ_FAKEAV.SMDY onto affected systems.

Upon execution, the Trojan displays a prompt informing users that their systems have been scanned. It then proceeds to display fake scanning results to persuade users to avail of the rogue antivirus application.

How does this threat make money for its perpetrators?

The fake scanning results may trick users into thinking that their systems have indeed been infected. Buying the rogue antivirus application translates to money for the cybercriminals behind the attack.

What is the driving force behind this threat?

The blackhat SEO-FAKEAV tandem takes advantage of significant news and events such as natural calamities and disasters, celebrity news, and the like to lure users into various scams. This usually targets users who use popular search engines like Google and the search feature of social networking sites like Twitter to read up on the latest happenings.