Attackers are using the excitement surrounding the World Cup to attack users. As we've shown earlier, they have posted links to fake live streams on social networks, or used BlackHat SEO spam to infect the top soccer-related searches.
Attackers are constantly changing the way the operate. Recently, I found a malicious page for the search term "world cup extra time rules", which does not have the common traits of a spam SEO attack for a fake AV page.
The Google result is actually a fake YouTube page (see screen shot below). The page is comprised of three parts:
- HTML and images display a fake YouTube video page
- Hidden HTML (a tag moved outside of the screen) stuffed with keywords for "world cup extra time rules" in order to rank well in searches
- Obfuscated Javascript which redirects the user to a different domain
The obfuscated Javascript loads a Flash file which attempts to download files to the user's computer and then redirect them to rapidejdr.fr, a hacked site hosted in France. This flash file is detected by 6 out of 41 antivirus vendors as malicious.
The hacked French site then redirects the browser to a fake AV page. I've seen redirections to four different fake AV domains, and only one of them was blocked by Google Safe Browsing - ryuk4.co.cc was blocked while savewarez54.co.cc, richav8.co.cc and richav2.co.cc were not. I also witnessed six different versions of the fake AV page. One seemed to be broken, it displayed the "loading..." animation, but did not ultimately deliver fake AV page. Instead, it directly attempted to download the malicious executable. Here is the screen shot of the five variations of the fake AV page:
-- Julien