Gaddafi and Search Poisoning: Think before clicking on search results

Scam artists and cyber-criminals welcomed the news of the demise of Libyan leader Muammar Muhammad Abu Minyar al-Gaddafi (often referred to as simply Gaddafi or Gadhafi). Why? Because few events fuel Internet search activity as much as the death of a famous–or infamous–person, although celebrity weddings and divorces are also a big search driver. It’s a fact of modern life that whenever a name pops into the news a lot of people Google that name, and scam artists use this to trick people into visiting flaky websites.

We call this scam “search poisoning” and I recorded a short video that shows you what search poisoning looks like. The example that I used involves Paul McCartney, who I am happy to say is still alive, but the same scam will probably be used to exploit people’s interest in the demise of Gaddafi.

<click here to go to ESET Blog where the video is displayed>

If you found this video helpful, please leave a comment and let me know. And hopefully the message of the video is clear: Exercise caution when searching, particularly when your search relates to a topic that is in the news.

Stephen Cobb
Security Expert for ESET

Gaddafi search poisoning

Here’s an example of search poisoning  using the death of Gaddafi as a hook, noted by our colleague Raphael Labaca Castro, of ESET Latin America. The original blog is in Spanish.

Raphael reports an email that comes with the following title (in Portuguese, suggesting that Brazilian Internet users are being targeted):

FW: Nossa. Acabei de receber este video do ex-lider da Libia, Kadhafi, sendo capturado e morto em plena praca publica.

Portuguese isn’t one of my accomplishments, but Babel Fish gives us this literal translation: well, you get the idea…

FW: Ours. I finished to receive this video from the former-leader of Libya, Kadhafi, being captured and died in full square it publishes.

This deceptive URL appears to link to a well known Brazilian media site. However, clicking on it results in the victim being redirected without his knowledge to a .kr (South Korea) web site, and the result is download and infection by a banking Trojan of the family that ESET products detect as Win32/Qhost.

The Trojan modifies C:\WINDOWS\system32\drivers\etc\hosts.txt so that when the user is using a home banking service, he is redirected to a page that looks like a real banking site but is really a fake, set up trick the victim into giving up his credentials. This type of phishing attack, implemented by modifying the hosts file, is sometimes referred to as local pharming.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s