Hackers continue to abuse search engine results to lure users to malicious sites and spread malware. Security researchers at McAfee and Symantec report that the technique is on the rise.
Cyber-criminals are always on the lookout for new tricks, but they are also
sticking with an oldie-but-goodie-abusing search engine results.
According to security pros, there has been a significant increase in the
tactic since January. On March 10, officials at Symantec
noted attackers were using sponsored search results on Yahoo
to lure Web
surfers to malicious site that promoted a fake anti-virus product called
"Antivirus & Security."
The search result purported to be a link to the latest version of AVG
Technologies' anti-virus software. In truth, however, it led to
Antivirus-2009-new.com and Antivirus-pro-download.com, where users were asked
to make a payment to buy a membership to get the rogue AV application.
Also on March 10, McAfee
found cyber-criminals were making use of the Google page rank of Democrats.org
to improve the chances their malicious links would appear in Google searches.
According to McAfee,
hackers have been flooding the community blog feature on
the site with bogus posts and malicious links for several weeks.
"Starting at the beginning of this year we've seen a significant
increase in the number of malicious sites ranking high on popular search
terms," said Craig Schmugar, a threat researcher for McAfee Avert Labs.
"What we are seeing is that the attackers are targeting high-ranking sites
such as Democrats.org
to post their content and cross-linking many Web sites.
They are also copy/pasting content from high-ranking Web sites, such as those
that appear at the top of Google News results."
Google took action recently against a number of malicious sites McAfee found
were using subjects such as the recent Gmail service outage and the rogue
"Error Check System" application on Facebook to boost their rankings
and entice victims.
"In all cases, we actively work to detect and remove sites that serve
malware from our search index and our ad network, and we immediately suspend
accounts found to contain ads pointing to sites that install malware," a
Google spokesperson said. "To do this, we have manual and automated
processes in place to enforce our policies. However, it's important to
recognize that this issue affects more than just Google and other search
engines, as these afflicted sites are still part of the general Web. We're
always exploring new ways to identify and eliminate malicious sites from our
Beyond what the search engines are doing, security vendors have built
technology into their anti-malware products that examines behavior as a way to
block suspicious activity. Symantec,
for example, just launched a beta of a
technology called Norton Safe Web that prescans sites.
"The main challenges are to scan such sites often because how safe they
are changes over time and also to improve our accuracy in correctly identifying
a bad site versus a good one when we do scan," said Zulfikar Ramzan,
technical director and architect for Symantec Security Technology and Response.
"While I [don't] expect these types of threats to show signs of abating
any time soon and while attackers have tricks up their sleeves, I believe
[security researchers] can be equally creative on our side to anticipate these
surprises and protect people."