<<< NEWS FROM THE LAB - Tuesday, September 15, 2009 >>> ARCHIVES | SEARCH Swayze Spam Posted by WebSecurity @ 08:39 GMT Within hours of the reported death of movie star Patrick Swayze, our Web Analysts saw the first wave of spam related to the event.



When people search for news of the star's passing in Google, randomly checking the search results leads them to a "news report" such as this:







Which suddenly displays this:







Oh oh. Looks like SEO poisoning is being used to hit the user with a rogue AV's "invitation". The user then gets shown an image (not the user's actual folder, just an image) like this:







Any mouse action on the image ends with the installer being downloaded.



One interesting detail is the rogue AV website includes a "geoip.php" that seems to be recording the city and country origin of each incoming connection. Could be for statistics tracking; it also seems to redirect anyone going back to the website for a second look, so you can't return to the exact same page.



This probably won't be the only rogue AV website to take advantage of Swayze's death to trap users. F-Secure users are protected from this threat, as the download links are already identified and blocked by the Browsing Protection service.









WebSecurity post by — Chu Kian









