Capitalizing on the G-20 protests

Posted by Louis Brandy on 29 September 2009

Certainly there were many winners and losers in the G-20 protest last week. Here’s a story about one group who “won”.

The G-20 protests were obviously a big story locally. You might have heard about the various protests in Oakland, or Lawrenceville, but here’s something you probably didn’t hear about. About a day or two before the G-20, spammers had google-bombed all sorts of G-20 related search terms. In particular, “G-20 road closures” was completely useless. You had to go deep into the second page of google searches to get something that WASN’T a free virus scan.

If you use your computer as much as I do, there is no doubt that you’ve run into a brilliant little bit of malware that’s currently all over the internets.


It looks just like a windows XP machine running explorer with some purported virus scanning going in the background. You can even drag the little pop-up window around and it behaves quite “natively” (until you reach the edge of the browser, of course). The first time I saw this bit of nastiness (even though I was running on my Mac) I was impressed. I am certain, however,  my less computer savvy family members would absolutely flip out if they ran into this. There’s no doubt that countless people have installed whatever nasty payload awaits at the end of this charade.

After a fair bit of research, I realized how much deeper and more spectacular this bit of blackhat hackery actually is. First of all, it would seem to be coming from a “crime syndicate” in Eastern Europe. That’s good to know. More importantly, they appear to be google bombing major news stories using “hot” topics from various news agencies (CNN, BBC, etc.).

The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links.

Another report here. Also, they’ve apparently gone after Dan Brown too. Not Dan Brown!

All in all, this is a really scary bit of malware. It’s basically a perfect storm. The fidelty of the landing page is incredible and certain to dupe people. More importantly, and more frighteningly, is the ease with which they are able to literally dominate the google results for major news stories. The night before the protests in Pittsburgh began, like I said, the topic of “G-20 road closures” was two pages deep with links to the fake virus scan. I am absolutely certain that the Pittsburgh representation has increased in size for a certain Eastern European botnet.

← Mistakes we made when naming our computers This MUST already exist →

© louis brandy — theme: midnight by mattgraham — with help from jekyll bootstrap and github pages