Dark Reading

All it takes for a good scare this Halloween season is a search for "Halloween costumes": That query turns up legitimate Web pages that have been infected by the attackers, according to researchers at Trend Micro.

Trickster attackers have inserted Web pages on the legit Halloween costume sites that come up in a search and used rogue JavaScript that invisibly redirects the user to a malicious page. It's a new twist on an old trick of manipulating search-engine optimization, according to the researchers.

"Usually in SEO Poisoning Attacks, malware authors compromise websites that are already top ranked in search engines, which may not be related to one another. Once compromised, they insert a specially crafted webpage on the compromised website so as upon using search engines or site searches, they can easily be visited or referred to," says Lennard Galang, a threat researcher with Trend Micro in a blog entry.

But with this Halloween costume attack, the rogue Web pages inserted into the compromised legitimate Websites contains the keyword "Halloween costumes" so they will come up a search. Once the user visits the page, he or she unknowingly gets redirected to the attacker's page, which displays a convincing-looking browser pop-up message offering a free scan for adware or spyware. The message says that your computer "is running slower than normal" and may be infected, so download the free Antivirus 2009 scanner to clean it up.

But clicking "okay" downloads the now-notorious rogue AV program/Trojan, which has been spreading rapidly via infected Websites. Trend Micro says this attack is similar to one last Christmas that targeted Christmas gift-shoppers.

— Kelly Jackson Higgins, Senior Editor, Dark Reading