Search engine poisoning: How malicious sites fool your filters
- By William Jackson
- Feb 29, 2012
SAN FRANCISCO — Studies of how traffic is delivered to malicious websites show that a large percentage is coming from popular search engines.
“Searching and clicking can be dangerous,” said Chris Larsen, malware research team leader at Blue Coat Systems.
Not a very profound discovery, but a puzzling one. Larsen found similar results when he talked about search engine poisoning at the RSA Conference two years ago. Since then major search engines such as Google and Bing have made efforts to filter malicious sites from query results. Why hasn’t there been an improvement?
Phishing economy: Why tiny Tokelau is 3rd largest country domain
Researchers: How 'leaky' smart phones give up their crypto keys
“The bad guys are succeeding in adapting their attacks,” Larsen said. They have come up with a successful business and technical model that helps them fool search engines and keeps trusting visitors coming to their sites.
Larsen is presenting his most recent findings on search engine poisoning at this week’s RSA Conference.
Search engine poisoning is the dark side of search engine optimization, the practice of crafting websites so that they will rank high in the results returned to a search query. Optimization techniques can range from the benign (creating pages with relevant content) to the irritating (including tags solely to attract attention).
But it becomes malicious when it is used to draw traffic to a site that delivers malware to the visitor’s computer.
Blue Coat studied the vectors for delivering traffic to malicious sites, tracing the victim’s route back to a source site.
“It’s an easy thing to research because there was so much of it,” Larsen said of search engine poisoning. “The bad guys are trying to attract attention from the search engine.”
A mid-year report from 2011 showed that search engine poisoning accounted for 39 percent of malware infections, followed by Webmail, porn sites and social networks, each in the single digits. Six months later this pattern remained largely the same with search engines ranking at nearly 41 percent, although Webmail jumped to nearly 15 percent.
What makes search engine poisoning so effective?
One reason is that the malicious sites can select what the search engine sees when it indexes the site. When the search engine crawls the site, it serves up only benign content. When a visitor visits the site later, malware can be served.
“It’s not malicious when they inject it” into the search engine, Larsen said. “It’s only malicious when you visit it.”
A technique used to get a high rating in a search is to create a site with little legitimate competition. Holiday themes are popular for this. The bad guys can set up a site for Halloween costumes, for example, early in the year and establish a good ranking with search engines as they crawl the Web. In October, when users begin searching for that topic, the malicious site can appear at the top of the results as it serves malicious code.
Current events are not as big a draw for search engine poisoning as one might expect, Larsen said. “Logically, if a bad guy is reduced to waiting for an event, it’s not that efficient an attack,” he said. So although someone with an established network of malicious sites will take advantage of high profile news such as the death of Osama bin Laden, they prefer using subjects such as pornography that drive strong day-to-day traffic, and with known, scheduled events such as the Summer Olympics.
Google has implemented a preview feature on its search results that lets the user see a thumbnail of the referenced page. “That raises the bar for search engine poisoners,” Larsen said.
Query results also include a two-line preview of text surrounding the search term so the user can evaluate its relevance. This can also be used to identify a term used solely for poisoning, a practice Larsen would like to see expanded. “I want Google and Bing to give us three lines of text,” he said.
Because the bad guys have proven themselves good at evading search engine filtering, it is up to the end user to do some domain name analysis before clicking on a link to avoid malicious sites, Larsen said. Less-frequently used Top Level Domains such a .biz or .info might not be as trustworthy as .com, he said.
“Beware of two-letter country code” domains. Don’t click on a Russian .ru or a Chinese .cn link if that is not appropriate to the subject you are searching, and be sure that the domain name also matches the subject.
“It’s up to the user to do a little due diligence,” Larsen said.
William Jackson is freelance writer and the author of the CyberEye blog.