'Twilight: Eclipse' Malware Leverages 'Poisoned' Search Results
Fans of the 'Twilight' vampire saga could be in for a nasty surprise while searching the Web for movie information.
This weekend's debut of "The Twilight Saga: Eclipse," the latest in the popular "Twilight" series of vampire movies, could be putting fans at risk if they're looking online for show times and other information, thanks to a new round of malware that's exploiting interest in the film.
The latest threat stems from "scareware," fake antivirus software distributed by criminals who trick users into believing their PC is infected by malware and encouraging them to pay for what appears to be a legitimate security product. Once downloaded, scareware can be used to take over a user's PC, steal his or her data or spread additional malware.
Antivirus firm PC Tools warned earlier this month that a new scareware variant is exploiting search terms relating to "Eclipse"'s ticket release dates and soundtrack. The security company described the activity as "SEO Poisoning," tricking search engines like Google into pushing malicious sites prominently in search results.
"Once users click on the malicious search result, they are redirected to a rogue antivirus site where a fake alert will pop up. This incorrectly informs the victim that their computer has been infected with malware and in what appears to look like a genuine Windows security alert, offers next steps for the user," PC Tools researcher Rommel Garcia said in a blog post. "When the user decides to proceed by accepting the 'protection' ... the download, installation and execution of the rogue antivirus comes next."
McAfee Labs recently estimated that cyber crooks raked in more than $300 million last year by swindling nervous Internet surfers into paying for scareware at about $49.99 a pop. The criminals promoted their bogus antivirus software using a combination of misleading pop-up and banner ads, along with malware-laden downloads and e-mail attachments.
"This is really an extension of the fake e-mail scams related to Michael Jackson dying, Mother's Day and other high-profile events," Byron Acohido, who writes The Last Watchdog blog on security issues, told InternetNews.com. "Now that most of us are skeptical about e-mail from unknown sources, the new wrinkle the bad guys are using is poisoning search results. They've become very clever about corrupting Google's crawler and other Web pages. "
Acohido said that, in some cases, clicking one of the phony results will take users to a site designed to look like it's legitimately related to the "Twilight" movie. "Then you're redirected off to the side, and if you click to download the software, they say you need to view a video or something like that. What you're really getting is a malicious program."
Symantec's Norton division reported Wednesday, the day of the "Eclipse" movie premiere, that it had seen a spike in "poisoned search results" related to the "Eclipse" release over the previous 24 hours. Among the top search terms Norton said were likely to be poisoned were "'Twilight New Moon Eclipse Wikipedia," "Twilight Eclipse Wiki" and "How Long Is Eclipse The Movie going to be."
Norton said some common search results, like "Twilight New Moon Eclipse Wikipedia," are returning malicious links more often than legitimate search results. In addition to installing a virus, Norton said these malicious sites can also install keylogging programs that allow criminals to monitor everything you type -- paving the way for account hijacking and identity theft.
A number of security firms, including PC Tools, which is also owned by Symantec, offer programs designed to scan for and block these malicious sites. The company said its Spyware Doctor with Antivirus combined with PC Tools Browser Defender can be an effective deterrent.
But Acohido said security software always has to play catch-up to the latest threats.
"It's a vicious circle because the bad guys are always coming out with new stuff the security firms have to respond to," he said.