Attackers use humor to infect users

Attackers are always innovating to defeat Google's algorithms and push their hijacked sites into the top search results. Once this is accomplished, they can then attack users, often by redirecting them to a fake AV page. Recently, we saw a new type of hijacked page - one that contains a Flash widget which shows a "Do not press button". Every time you click on it, it displays a humorous message.

Flash page "Do not press"

This is a classic joke. You have probably seen this type of page in the past. But it is now used on hijacked pages that redirect users from a Google search to a fake antivirus page! We have seen it on more than 50% of the hijacked sites in the last 3 days, where we would generally see a simple HTML pages stuffed with keywords.

The other interesting fact is that this particular page is hosted on a subdomain of xorg.pl. This same domain was hosting most of the fake AV pages until about 2 weeks ago. However, in this particular attack, the redirection is done to a different domain (antiviruschecki4.com), where the fake AV page is delivered. xorg.pl is now used to redirect user to a fake AV page instead of being use to host the fake AV page, as it used to. It is surprising that Google does not show a warning for links to xorg.pl when Google Safe Browsing says "Part of this site was listed for suspicious activity 1541 time(s) over the past 90 days." at the time of writing.

-- Julien