Whatever the latest hot topic is, chances are the blackhat SEO criminals are already poised to cash in. Over this past weekend, ScanSafe saw a surge in celebrity searches leading to malware encounters, mostly rogue scareware. The method of encounter varies by browser type. For example, Internet Explorer users encounter the malware directly after clicking a poisoned search results link, whereas Firefox users are first redirected to the bogus lookalike qooglesearch.com (note the Q in the domain name). The scareware domains vary slightly, but follow the same format:www#.duforing##.xorg.pl (where # signifies a number).

The malicious links in the search engine results pages (SERPs) look innocent enough at first glance:

Look more closely however, and you'll note the nonsensical phrasing in the shadowdesigns.co.uk and poshpongs.com results that are sandwiched between mtv.com and last.fm. Equally telling is the ?sdoc=erica+badu appended to those links.

Searching inurl:.php/?sdoc=erica+badu on Google reveals about 400 sites are being used to promote malicious Erica Badu links. A more generic search for inurl:.php/?sdoc= results in even more poisoned listings for various celebs and diverse topics. The Yahoo search engine was also observed dishing up malicious search results over the past weeekend for topics ranging from the CN Tower design to extraterrestrial invasions.