As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.
In one such recent spam campaign, email promoting a "limited edition Buckingham Mint Royal Wedding Commemorative Coin" at a discounted rate is being observed:
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info—created on January 14, 2011—before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.
In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:
Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring
The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.
The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
Black hat SEO
With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.
At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos“ and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.
Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”
The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:
Here are some other search terms currently returning poisoned links:
• william and kate movie cast
• prince charles age
• princess diana death facts
• prince harry last name
• william and kate movie on lifetime
• royal wedding guest list bush
• royal wedding guest list snubs
• prince charles siblings
• the royal wedding date and time
We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques—such as keyword stuffing, cloaking, and link farming—to "game" the search engine algorithms to achieve high search engine rankings.
These poisoned links generally have the following pattern:
hxxp://<domain name>/<random 2 character string>-<search keyword>
Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.
The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:
When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.
Symantec's multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.
Norton survey results
Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below—as well as some that were quite shocking:
* 62% of Americans surveyed are likely to follow the British royal wedding.
* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.
* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.
* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.
* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.
Royal Wedding 2.0 – The first “e-royal wedding”
* Nearly 40% of all respondents will seek their royal wedding information online.
* 67% of 18-34 year olds will seek their royal wedding information online.
* 87% of 18-24 year olds will seek their royal wedding information online.
* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.
* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).
People are unaware and unprotected from cybercriminal “wedding crashers”
* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.
* 87% of 18-24 year olds seek their royal wedding information through online channels, and—shockingly—that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.
Note: This blog has been researched and written by Symantec's Suyog Sainkar, Nithya Raman, and Helen Malani.