Reports from several anti-malware vendors indicated that the FakeAV scareware team had used various websites, stuffed with keywords relating to the World Trade Center attacks, to lure users who had found them in Google search results to download fake anti-virus programmes that in fact are malware.
When visited, Sophos's Graham Cluley said that the scripts on the fake anti-malware site checked the identity of the referrer. If the visitor came from a Google search page, then the malicious webpage would present a fake anti-virus scan window to try and persuade the visitor that their PC had been infected by malware. It would then ask them to purchase the fake anti-virus product developed by the FakeAV team.
"Sometimes the hackers create brand new webpages (using newly registered domains), filling them with content that they hope will make them more popular in search engine results," Cluley said in a blog post.
However, many of the websites were legitimate ones that had been hacked and filled with 9/11-relevant keywords. Many URLs scanning services tend to trust well-established sites more than ones that have been recently created, which is why online criminals find it useful to compromise existing websites.
In its own blog post, Trend Micro advised people to rely on well-known news sites for links to web pages dealing with current events, rather than relying on search results that may have been poisoned.
However, the problem with that is that online news services are known to have been compromised in the past. BusinessWeek was hit by an SQL injection attacks a year ago, for example, and CNN has been victim to cross-site scripting attacks. CNET Asia has also been victim to SQL injection campaigns.
"TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious websites that can all be found in the poisoned Google search results," said Trend Micro threat response engineer Jessa De La Torre.