Earthquake News Attracts Search Engine Hackers

Within hours of the devastating earthquake and tsunami in Japan, cyber-criminals had poisoned search results based on the disaster with malicious links.

Users searching on “most recent earthquake in Japan” may encounter some malicious links to fake anti-virus software, Trend Micro researchers said on 11 March. Malware writers used black-hat search engine manipulation techniques to push these links to the top of the search results, according to a post on the company’s Malware Blog.

Malicious keywords

“We immediately monitored for any active attacks as soon as news broke out, and true enough we saw web pages inserted with key words related to the earthquake,” Norman Ingal, a threat response engineer at Trend Micro, wrote.

The Japan Meteorological Agency said the 8.9-magnitude earthquake, the strongest in the country’s history, hit the Pacific Ocean at around 2:46 p.m. local time on 11 March. The earthquake caused extensive damage in Sendai, the city on the country’s northeast coast that is nearest the epicentre, and triggered 20-foot-tall tsunamis and caused widespread fires all along the Japanese east coast. Other tsunamis triggered by the quake hit Hawaii and another is heading for the West Coast of the United States.

People are turning to the web for the latest information and images from the earthquake and tsunamis. Cyber-criminals are taking advantage of the intense interest to further their own agenda.

“One of the active sites that we saw used the keyword ‘most recent earthquake in Japan’ and led to FAKEAV variants we currently detect as Mal_FakeAV-25,” Ingal wrote.

According to a screenshot on the Malware Blog, the malicious links have the search term in the title and in the URL, but the description is keyword heavy with no actual content. A malicious link that was returned on the search had the following description, “most recent earthquake in japan topic – most recent earthquake in japan articles,” compared with legitimate news outlets that had more informative text.

One link’s description even read “a swarm of earthquakes hit Mt St Helens volcano on 14 February 2011”.

Rely on trusted media outlets

Trend Micro recommended that readers get the latest news from trusted media outlets instead of relying on straight searches “to prevent being victimised by this blackhat SEO”. If search results are necessary, carefully looking at the description may be helpful in weeding out some of the most egregious links.

A quick search by eWEEK on Google returned two suspicious links on the first page and several more on subsequent pages. Bing had more links that looked suspicious appearing on the first page. Trend Micro expects more SEO poisoning attempts down the line in order to stay on that all-important first page.

Black-hat SEO poisoning attempts to take advantage of current events and topics of interest are not unusual. Cyber-criminals did the same thing a day after a 6.0-magnitude earthquake hit Manila, Philippines, last March, pushing up links to fake antivirus software on search result pages for “earthquake manila philippines”. There were similar attempts shortly after the Haiti and Chile earthquakes, as well.

“One thing for sure though is that cybercriminals will most definitely ride on every earthquake or natural calamity news that will hit,” Carolyn Guevarra wrote on the Malware Blog.