Drinking from the Well of Poisoned Searches

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

You need to do a little research, so what do you do? Like millions of others, you Google it.


However, that simple search could be putting your computer at risk. According to Patrik Runald at Help Net Security:


Search engine optimization (SEO) poisoning is an increasingly popular method of attack for cybercriminals and one that shows they are using more sophisticated techniques. In the last year, attackers have poisoned search results on everything from celebrity news to Google Wave invitations.


The SEO poisoning is also known as Blackhat SEO attacks. This occurs when a hacker manipulates a malicious Web site so it lands at the top of search lists. Said Runald:


SEO poisoning can be used to drive traffic to an intentionally created malicious site, or it can take advantage of existing and popular Web properties by using cross site scripting (XSS) on a legitimate site. One common SEO poisoning method used today is to take already existing Web pages where a file has been uploaded to redirect the user to a malicious site. As the site is known and has often been around for years, it appears legitimate when it comes up at the top of the search results. The cybercriminals exploit the input and display vulnerability on these sites. This malicious site could be anything from advertising cut price Viagra or offering to scan' your computer for malware for example.


At the Zscaler blog, Julien Sobrier ran his own tests to show the extent of the problem of SEO poisoning within Google searches. He retrieved the most popular searches from Google Trends to see how many malicious sites show up as top results. His findings were a little scary -- not just in how many malicious sites he found but that in some cases his antivirus software viewed the sites as safe. Sobrier goes on to say:


Why does Google not do a better job in cleaning up the results? Malicious hackers are doing their best to hide the malicious pages from security scanners. First, you have to hit the malicious page by coming from Google (referer header). Then, you need to have a vulnerable browser (Internet Explorer 6 is a good bet). Then the tool has to run all of the Javascript, Flash and PDF elements to follow the redirections.


Is this a problem with other search engines? Sobrier plans to investigate. I know I'll be watching for his results.