Cybercriminals Catch the Olympic Fever Early On

There is no doubt that athletes all around the world are training hard to compete at the London Olympics in 2012, but cyber criminals seem to be gearing up for the event as well. Even with over 400 days still to go until the Olympics, we have already started seeing search terms related to this event returning a large number of poisoned links. As we have observed with search engine optimization (SEO) poisoning in the past, these poisoned links redirect to rogue antivirus sites.

The following are the top 10 poisoned search terms:

We have also found dozens of other poisoned search terms related to Olympics tickets, mascots, offers, and so on. Below is a screenshot of the search results for the term “london 2012 stadium diagram”; Norton Safe Web indicates that all of the first 10 links are malicious:

These URLs redirect to malicious content only when you click on the link from the search engine result page—a benign page is presented when you navigate to these links directly. We found the fake pages created by scammers to contain Olympic-related text, images, and links to other fake pages. These pages are presented to the search engine bots for indexing, and all of these images are hot-linked from reputable news sites. The presence of images on these pages suggests that these sites are being used to poison image searches as well.

Below is a sample page presented to the search engine bot for indexing:

Once a user clicks on the search result link, he or she is redirected to a fake online scanner that asks the user to download rogue antivirus software:

In this case, the user is tricked into installing the rogue antivirus XP Total Security 2011, which pretends to scan the system and shows a huge list of threats to be "fixed":

During the course of the year leading up to the big event, we expect to see many more Olympics-related search terms being used by cybercriminals to push rogue antivirus software. We have already found over 300 compromised sites used in this campaign over the past week. We recommend that users stick to legitimate news sites, and keep a look out for domain names that appear to be unrelated to the news being searched for. Symantec customers are already protected from this attack with IPS, AV, and Safe Web technologies.