Another day, another news, and well… another SEO poisoning stint.
Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files… Then, we saw something:
Ok, could be a one time thing, so we checked the other sites:
And in the usual geeky fashion in the lab… we got excited.
When decompressed, the SWF contains this:
Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.
The SWF is of course the key to getting to:
It seems that the bad guys want the malicious URLs to be hidden inside the SWF.
Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.
The malicious URLs are now blocked via our Browsing Protection and malicious files are detected.