Scareware sellers poison 'iPhone MMS' search results

Computerworld - Criminals have poisoned major search engines for terms related to the new MMS capability of Apple's iPhone and are using the results to steer users to fake Windows security software downloads, a researcher said today.

"Up to the top six results for search phrases about iPhone and SMS are poisoned," said Stephan Chenette, the manager of security research at Websense. "This obviously has to do with the iPhone's new MMS feature," he added, referring to the launch last Friday by AT&T of its Multimedia Message Service for the popular iPhone.

"The hosts involved were registered just three or four days ago," Chenette said.

Late Friday morning, Pacific time, AT&T fired up its MMS service, one of the most long-awaited features for the iPhone.

When users click on one of the poisoned search results, they're redirected to a malicious site promoting "scareware," the term used to describe phony security software that claims a PC is heavily infected. The software duns users with bogus pop-up warnings until they fork over up to $50 for the useless program.

It's all too easy for cyber criminals to poison search results with links to malware or other malicious content, said Chenette. "They have millions of bots at their fingertips," he said, "and with that control, they can sway the results of any search engine at any time."

This campaign, however, was clearly aimed to coincide with AT&T's launch of MMS for the iPhone. "People want to know how to use [MMS], how to send multiple pictures at the same time, things like that," said Chenette.

Attackers poison search results by creating massive numbers of useless Web sites on the bots they control, or by using previously-hijacked sites. Those sites are all packed with credible content, news and headlines that in many cases have been copied from legitimate sites. All such sites point to a single "landing page" URL, which in turn sends users to a number of different -- and often shifting -- servers hosting malware: in this case, Windows scareware.

When the search engines' spiders crawl the Internet, and index the fake and real sites that have the landing page URL, their algorithms are essentially tricked into pushing it to the top of any search result for the key phrases in the stolen content.

"The botnets give them much more power this way than if, say, they were just using them for spam," Chenette added.

The only defense is to be wary of what's clicked in a search result.

"This isn't going away, it's too successful of a tactic," said Chenette. "[Attackers] are taking the way that engines are populating their results and using it to their advantage. There's nothing search engines can really do about it unless they redesigned how they create results from the ground up."

As Chenette hinted, this is far from the first time that scareware makers have poisoned search results to shill their worthless software. In February, for example, they used Google's own Trends, a tool that highlights the most popular searches of the past hour, to dupe users into clicking on rogue security software downloads.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.