McAfee FP news misused for more SEO poisoning

We're now seeing a fiercely concentrated Blackhat SEO campaigns exploiting the McAfee False Positive (FP) problem.

Juraj Malcho, our Head of Lab in Bratislava, reports that in a Google search like the one I've screendumped above, he got three malicious hits in the top ten (the same ones captured here: of course, the malicious domain names have been whited out) and 11 in the top 20. Subsequent searches using different search strings are finding even more hits, so right now, Google is well and truly poisoned.

Characteristically, hits at the moment come up with the titles  "Mcafee Dat 5958" or "Mcafee 5958", but this has changed since earlier on, and will no doubt change again.

The malicious URLs seem to take the form

[domain name]/[random 5 letter string].php?on=mcafee%20dat%205958


[domain name]/[random 5 letter string].php?on=mcafee%205958 

Of course, this is likely to change too. They redirect to a site which tries to download fake AV detected as one of the following:

  • Win32/Adware.VirusAlarmPro
  • a variant of Win32/Kryptik.DWC trojan
  • Win32/TrojanDownloader.FakeAlert.ALW trojan

Thanks to Juraj and to Cristian Borghello for their continuing research and information.

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

  • jcbatucan

    Is this the Black Hat SEO? I googled its definition and it says "Black Hat search engine optimization is customarily defined as techniques that are used to get higher search rankings in an unethical manner." So I guess, this is really what it is…


Follow us

Copyright © 2017 ESET, All Rights Reserved.