Ukrainian Attackers Use SEO, Fed Forms To Push Scareware To U.S. Users

Ukrainian hackers are using a unique combination of search engine optimization and U.S. federal government forms to promote fake antivirus software to U.S. users, a researcher said yesterday.

In his blog, independent consultant Dancho Danchev says the Ukrainian campaign is actively hijacking a variety of U.S Federal Forms keywords in an attempt to serve the Personal Antivirus (Trojan.Win32.FakeXPA) scareware.

The attackers have figured out a method to bypass Google's Safebrowser blacklist and deploy sophisticated page rank-boosting tools to elevate their malicious pages to the top of the Google search results for a given federal forms keyword, Danchev says.

When users click on these search results, they get a "scareware" message that says their computers are infected, and that they should load the the fake antivirus software to fix the problem. If they do, then they become infected by a Trojan that is capable of stealing control of their machines.

Danchev says steps are being taken to "disrupt" the attacks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.