The movie Avatar is making a big splash in the global film market, drawing large audiences with its unique viewing experience. It has also attracted some unwanted attention. As people search for information about Avatar on the Internet, cyber criminals are using the opportunity to spread malware. The following figure demonstrates a successful attempt to position malicious content as high as fourth in search results using a common search phrase for the movie.

Google search results with the keywords “avatar movie”:

Cyber criminals compromise vulnerable Web sites and insert the SEO page. When a request is made for that page, the referrer part of the request header is checked. If the request is from a search engine like Google.com, ask.com, or bing.com, visitors are redirected to rogue anti-virus sites. Websense Security Labs has published numerous alerts on this type of incident before, such as Ice Skating Car Video Black Hat SEO and Brittany Murphy’s Death SEO Poisoning. If the request is not from a search engine, the search returns raw SEO pages targeting search engine crawlers such as Googlebot. Below is an example of this type of SEO page.

The start of the SEO page:

The end of the SEO page:

These SEO pages don’t contain malicious code, but have malicious intent. The page content is meaningless to Internet surfers, simply containing hot keywords, a random article, and an area for submitting comments, like most Web 2.0 sites. The page however is not meaningless to search engines. Some very interesting technical content in the page’s HTML source code can lead search engines to conclude that it belongs to a popular Web site and should be ranked high in search results.

If we analyze the architecture of the SEO page, we find the title consists of the keyword that cyber criminals want the search engine to find. In the CSS definition that follows, page properties like font type and color are designed to look as complex as possible. This complexity makes the Web site look important to a search engine.

The CSS definition of the SEO page:

The next part of the page is a list of the hot search keywords that cyber criminals want to poison. Each keyword has a link to another SEO page in the same domain, which makes the keyword rank higher. When keywords are linked together in this way, the search engine concludes that the page refers to many other pages and is itself referenced by many other pages.

The hot search keywords in the SEO page:

The third part is a random article that contains the specified search keywords. In addition to the keywords, the layout elements give the page a complex structure, as indicated in the CSS definition above.

The random article in the SEO page:

The fourth part is a fake dialog window for the user to post a comment. This dialog’s only purpose is to trick search engines.

The post comment area in the SEO page:

SEO campaigns tend to target hot Internet topics like Avatar and others, including actors Susan Sarandon, Tim Robbins, and David Hasselhoff, and singer Lady Gaga. I advise users to examine search engine matches before clicking a URL. If the URL is not a well-known Web site, perform some simple checks before clicking, such as consulting Alexa rankings, checking if the domain name is suspicious.