Let's take this example:
- A user looks for "this is a test" on Google.
- The user goes from http://www.google.com/?q=this+is+a+test (Google search result) to a hacked site http://example.com/index.php?q=this+is+a+test (search result)
- He is then automatically redirected to http://evilcom/index.php (fake AV page).
How can you easily spot potential fake AV page directly from the search results, or avoid to be redirected to the malicious page? Unfortunately, you cannot count on your antivirus or browser blacklists. There are two tricks you can use.
Recognize a site has been hacked
Attackers create new virtual pages on hacked sites. They all look pretty much the same - for example:
Because the query string (sell=old%20navy%20shooting) is similar to the search term, it will be highlighted in the Google results. Check for links with a .php file extension, a query string with a single variable ('sell' in the example) and a value similar to the search term (old%20%navy%shooting or old+navy+shooting or old-navy-shooting, etc.).
This suspicious link is indeed a redirection to fake AV page
Avoid the redirection to the fake AV page
The hacked pages check if the user is coming from Google, Bing or Yahoo by looking at the HTTP Referer header. If the page is accessed directly, the user is either redirected to a different site (typically http://www.cnn.com/) or the original page used to spam the search engine is displayed. In both cases, the user is not at risk.
Harmless Search Engine Optimization (SEO) page
So, if you spot a suspicious search result, copy the URL (right click on the link + Copy Link Location), and paste the URL in a new tab. Because your Referrer header is empty in this case, you will not be redirected to the fake AV page in most cases.
These two tricks can be integrated in a security scanner to scan the search results: access the same URL with an empty referrer, and with a referrer that contains http://www.google.com/ to check if you are redirected to different domains. If this is the case, it is very likely to be a fake AV page (60% of the cases we found) or a shady/fake search engine (40% in our research).