Hackers poison 4th of July search results to sell scareware

aBe very alert using Google, Bing or Yahoo Search to look up recipes for your Fourth of July celebrations this weekend. Achal Khetarpa, research director at antivirus firm CyberDefender, just typed "4th July dessert recipes" as a Bing query and got to this innocuous, but highly invasive result:

Sample of a poisoned search result

CAPTION

CyberDefender

Clicking on this result instantly launched the fake scan, shown below. This is step one of a ruse spread by one of the most active scareware gangs out there selling worthless software called Security Master AV, says Khetarpa.

Sample of a fake scan turning up in poisoned search results

CAPTION

CyberDefender

If you see a suspicious virus alert or virus scan, the worst thing you can do is click on anything in it, even a "stop scan" or "cancel" button, says Microsoft spokesman Eric Foster. That's because clicking on anything the bad guys present to you usually advances the scam. Instead, if you're using a Windows XP, Windows Vista, or Windows 7 computer hit "ctrl-alt-delete" or type "task manager" into the search box to navigate to your Task Manager.

At this point, the fake scan/alert is running inside whatever web browser you happen to be using, says Randy Abrams, director of technical education at antivirus firm Eset. Once you get to your Task Manager, hit the "applications" tab; and find your browser; then force-quit the browser by clicking "end task."

"If the user is running Internet Explorer they need to end Internet Explorer, " says Abrams. "If they are running Firefox, then end Firefox, Safari, end Safari, if Chrome, then end Chrome."

The selling of scareware has morphed into a outrageously lucrative criminal enterprise. Panda Security estimates that scareware generates some $34 million a month in revenue for a cottage industry of elite gangs and enterprising specialists. Panda's estimate was affirmed by the bust of the Innovative Marketing gang; federal regulators documented that the gang banked $163 million in sales from 2006-2008.

So-called Black Hat SEO (search engine optimization) attacks that disperse poisoned search results have become a very popular way to spread scareware. Such attacks "are automated and take place every single day," says PandaLabs researcher Sean-Paul Correll. "It currently is the main delivery method" for scareware.

Google is the primary target, since it accounts for 65% of U.S. searches, but the techniques hackers are using to poison search results work well on any search engine, says Andrew Brandt, threat research analyst at antivirus firm Webroot. "This has been extremely pervasive since the middle of 2009," says Brandt. "The fact that, nowadays, virtually any search result can contain malicious links is a sign that those engaged in this practice have become expert search engine manipulators."

The bad guys typically use free analytics tools supplied by Google to keep abreast of Google's top trending topics, says Roel Schouwenberg, senior analyst at Kasperky Lab. Recent trending topics for which the bad