Millions duped in poisoned Google Image attack

Trend Micro finds a well-crafted poisoned SEO campaign has seen millions of users visit malicious pages.


A poisoned search engine optimisation (SEO) campaign has duped over 100 million web users into visiting malicious web pages, a security firm has warned.

The campaign, run by a well-known blackhat SEO operator, has used Google image search to redirect users to fake anti-virus downloads in a bid to compromise users' systems.

"In just one month, this campaign was able to redirect nearly 300 million hits from 113 million visitors to the malicious landing pages," Trend Micro explained in a blog post.

"In addition to generating pages full of bad links and keywords to boost search engine results ranking, the operator also embedded images taken from legitimate sites so its pages can get a high Google Image Search index."

Advertisement - Article continues below
Advertisement - Article continues below

To date, Trend Micro said it had identified 4,586 compromised servers connecting to the blackhat SEO command server.

Using these servers, the hackers have implanted two kinds of pages inside various websites, one being a standard fake anti-virus scanning page, the other a Traffic Direction System (TDS) page.

"TDS pages are used as landing pages to direct traffic to malicious content based on a variety of criteria such as OS, browser version, and geographic location," the security firm explained.

"This particular campaign uses the well-known SUTRA TDS to redirect users to [fake anti-virus] landing pages or to pages that host the Black Hole Exploit pack."

In the past 30 days, that TDS redirected 220,175,652 hits from 82,568,468 visitors.

This campaign targeted Mac users in particular by using landing pages designed to imitate the appearance of the Mac OS.

Advertisement - Article continues below

"This campaign again demonstrates how effective blackhat SEO techniques are in driving traffic to malicious websites," Trend Micro added.

"Despite low conversion rates in terms of exploitation and [fake anti-virus] downloads or purchases, this operation is still likely generating a considerable amount of money for its operators."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



Google Nest Wifi review: A solid improvement, but not for long

14 Feb 2020
unified communications (UC)

Google developing all in one messaging app for business

29 Jan 2020
cloud computing

Google adds partners to real-time translation tools

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Most Popular

cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020

How to use Chromecast without Wi-Fi

5 Feb 2020
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020