Hackers Targeting Black Friday, Cyber Monday.......

Attackers have set their sights on holiday shoppers searching for leaked Black Friday ads, creating malicious sites that appear on search engine result pages, according to a Nov. 18 alert by SonicWall. The security warning comes as shoppers prepare for the 2010 holiday shopping season. Security experts discovered "polluted" results appearing in search engine results for holiday shopping-related terms in advance of Black Friday sales next week. These links take users to a malicious site that tricks users into downloading malware. The terms include "Walmart Black Friday Sales 2010," "Black Friday" and "Cyber Monday". Cyber-criminals view popular search terms as a lucrative target as the terms reflect what people are interested in. In the advent of the holiday shopping season, consumers are searching online for the best deals and discounts, so it goes without question that hackers are "going to try" to take advantage of the holiday traffic.

Criminals create pages that are highly search engine optimized with keywords reflecting currently popular search terms. They also seed keywords and links as comments to boost the malicious pages' search engine rankings. Even if it's for an hour or two, as they will be driving traffic to those pages.

Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms. Clicking on one of the malicious links redirects the user to another page with embedded JavaScript code that checks the user's Web browser. The next step varies by browser. Users with Internet Explorer are redirected to a fake antivirus landing page claiming the computer is infected by several Trojans. Firefox users are redirected to a fake update page suggesting the user's Flash player is out of date: "Firefox is outdated, also your current version of Flash Player can cause security and stability issues. Please install the free update as soon as possible."
The fake Flash update file downloads the fake antivirus onto the computer and modifies the user registry so that the Trojan runs during system start-up.  It also posts confidential data back to remote servers and redirects the browser to open more pop-up windows.

The infected machines are sending encrypted data back to a specific site and "looks similar" to the InfoStealer Trojan activity. Mac OS X users using Firefox and Internet Explorer will encounter the same malware, and it can be downloaded on to the Mac if they click on those links. However, they are not likely to execute on the Mac.

Varying the malware attack based on the browser the user is using is a common tactic. The attacker is "maximizing the number of potential victims" by "customizing" the behavior to browser-specific vulnerabilities.
The returned search results have titles like "Walmart Black Friday 2010" and the same phrase embedded in the URL string. Since many of the sites are already known to be malicious, Firefox and Google are able to flag the links accordingly. Hackers are also using Best Buy-related search terms, such as "Best Buy Black Friday 2010 deals," to push a fake antivirus software called "Internet Security Suite,".

As the days draw closer to Black Friday, we will certainly see an increase in activity involving these tactics. Spammers and hackers often take advantage of current events, popular trends and holidays such as Halloweento target users. Before Shopping online, make sure that your operating system, browser and security software are up-to-date and enable secure browsing on the Web browser before going to unknown sites.