Avast_Threat_ Research: Scammers are optimizing SEO results to lure victims

[harlan4096]

Don’t be duped by top ranked results that seem too good to be true

Google, Bing, Yahoo, Yandex, and Baidu are some of the world’s top search engines and serve as the starting point for millions of internet users seeking information. Most people probably don’t browse past the first two or three pages of search results, which is why website owners aim to get their site to appear among the top results, to attract site visitors. Website owners do this using a process called search engine optimization (or SEO). Businesses rely on good reviews, Google Maps, and optimized content to ensure their websites are well tuned to be easily searched and shown in results.

Scammers have realized that they can also use SEO to find more victims and convince them into clicking on a link if their websites appear higher in search engine results. Using this, they are able to get well known search engines to list simple html web pages that contain redirectors leading to scam content. A typical scam page might be a simple page convincing people that they won a new iPhone and with the right search words, malicious links can be listed on the first and second pages of search results. 

How?

It all starts with a simple search. If you put enough keywords into the search box, the result may include simple websites that were created just to be easily indexed and listed by the search engines. For this query below, I searched for online films with subtitles in Romanian. Our data shows a lot of activity on Google and Yandex.

All of the scam websites look similar. The only difference is the targeted brands. The source code of the website clearly shows the effort to make simple webpages as SEO friendly as possible.

The simple design with only text and pictures is not meant for the users' eyes. The purpose of this website is hidden, as always, in the source code.

The first glance shows fixed code to create the appearance of positive Google product reviews in rich search results. The static information attached is more noticeable amongst other links in search results (show in second illustration).

The source code also shows an import of heavily obfuscated javascript which takes fingerprints of the user before redirecting them to the scam site. 

Obfuscation of the source code utilizes many cycles of functions, which essentially builds final source code word by word.
...

Continue Reading