Recently, we have talked about Blackhat SEO fueled Rogue Software Campaigns. Today, we have uncovered a similar campaign with over 1 Million links all targeting the Ford Motor Company.

These attacks work by misleading search engines to falsely promote malicious pages to the top of the search results. Once the user visits one of the malicious sites, they are prompted to download and install a malicious "codec", which then installs the MS AntiSpyware 2009 (softwarefortubeview.40030.exe) Rogue Security Software, which we detect as  Adware/MSAntiSpyware2009.

This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand.

I have made a video demonstrating how the Blackhat SEO attacks work and you can see it below:

Vimeo

Partial List of Hijacked Search Terms:

*Update*  The SEO attack is starting to switch from Ford to Nissan Motor Co.  

Diagram Of A 1998 Nissan Pathfinder Blower Motor
1989 Nissan Pickup Voltage Regulator
2006 Nissan Skyline Gtr Vs 2005 Mustang Gt Cobra Youtube
Where Is The Horn Relay On A 2002 Nissan Sentra
1992 Rear Bumper Nissan Pickup Truck
17 Gold Rims Wheels Nissan Honda Ford Toyota Hyundai
Ford Dealership Car Dealership Beside Iee Nissan Wilson N.c.
We Love rocky ford kansas!
Mustang Gt Or Nissan 350z
Dash Cover Nissan Pickup
1992 Rear Bumper Nissan Pickup Truck
Bumper For 1993 Nissan Pickup
Relay Box On 1991 Nissan Pickup Truck
1997 Nissan Maxima Trunk Emblem
1993 Nissan Truck Door Panels
2007 Nissan Versa Gauges Glow
Nissan Sentra 2004 Horn Location
1994 Nissan Extended Cab Truck Seat
Pic Of 1983 Nissan Truck
1989 Nissan Pickup Truck Engine Check Light Troubleshooting
Fuel Tank Capacity On 1992 Sentra On 1992 Nissan Sentra
How To Install A 1991 Nissan Pathfinder Windshield
Auto Wheel Bearing Replace 1997 Nissan Sentra
Nissan Micra 1.3 Metallic Green
Dimensions And 1998 Nissan Pathfinder
2005 Nissan Frontier Modesto
87 Nissan Pathfinder Nuetral Starter Safety Switch
1990 Nissan Pickup 2400 Motor Recalls
Used Nissan Frontier 2006
Frontier Titan 2006
Ford Ranger
Parkway Ford
Ford Uk
Ford Finance
Mustang Ford
Evergreen Ford
Kayser Ford
Ford Anchorage
Walker Ford
2009 Ford
Rochester Ford
6 Ford Speed Transmission
Ford Scamatic
Sheehy Ford
Ford Commercial
Parr Ford
Ford F8tz3504abrm
1993 Ford Taurus
1993 Ford Tauru
Titan Ford
Luther Ford Fargo
Ford Freestar Problems
Ford Crate Engine
Ford Aftermarket Distributor
Ford Ranger 2008
Ford Falcon Sale
1941 Ford Truck
F150 Ford 2001
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
Ford Window Guards
1960 Ford Sunliner
1960 Ford Sunline
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Ford Taurus Repair
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Grappone Ford
Ford Radio Removal
Ford Expedition Diesel
Ford Parts Catalog
1940 Ford Coupe
1966 Ford Mustangs
Ford Door Lock
Ford Escape Hybrid
1930 Ford Coupe
Ford Parts Look Up
1968 Ford Trucks
1995 Ford F150 Lightning
Joe Machens Ford
1956 Ford Panel
Ford Global Terms
2000 Ford Explorer Overheating
1999 Ford F150 Engine
Ford 6 Cyl
Ford Ranger 4×4
Door 2005 Ford F150
Ford Falcon Futura Sprint
Ford Ranger Engine
Ford Escort Harrier
Ford F150 Used 4×4
1969 Custom Ford Ranger
Ford Truck F150 Forum
Only Ford Expedition Pics
Diesel Ford Ranger
Ford F150 Throttle Body
2001 Ford Escort Reviews
1998 Ford F150 Bumper
1989 Ford Mustang Wallpaper
1939 Ford For Sale
Ford Ranger Directional Rims
2009 Ford Mustang Reviews
Rowe Ford Hyundai
Remanufactured Ford V8 Engines
Ford Ranger 4×4 Automatic

Rogue Information:

File: softwarefortubeview.40030.exe
MD5: 3C146F57FE65BF03CAB8289F31B57618
Detected as: Adware/MSAntiSpyware2009

Registrar and Host Information:

ICANN Registrar: REGTIME LTD.
Created: 2009-03-17
Expires: 2010-03-17
Updated: 2009-03-31
Registrar Status: ok
Name Server: NS1.GLOBEXTUBES.COM
Name Server: NS2.GLOBEXTUBES.COM
Whois Server: whois.regtime.net

Server Data

   
Server Type:  Apache/1.3.39 (Unix) PHP/5.2.5
IP Location United States – California – Los Angeles – Coreexpress
Domain Status: Registered And Active Website

If you have any questions about the attack, you could always reach me on Twitter (@lithium)

Special thanks to Greg Feezel for the heads up on this one!