Cyber-criminals are always on the lookout for new tricks, but they are also sticking with an oldie-but-goodie-abusing search engine results.
According to security pros, there has been a significant increase in the tactic since January. On March 10, officials at Symantec noted attackers were using sponsored search results on Yahoo to lure Web surfers to malicious site that promoted a fake anti-virus product called “Antivirus & Security.”
The search result purported to be a link to the latest version of AVG Technologies’ anti-virus software. In truth, however, it led to Antivirus-2009-new.com and Antivirus-pro-download.com, where users were asked to make a payment to buy a membership to get the rogue AV application.
Also on March 10, McAfee found cyber-criminals were making use of the Google page rank of Democrats.org to improve the chances their malicious links would appear in Google searches. According to McAfee, hackers have been flooding the community blog feature on the site with bogus posts and malicious links for several weeks.
“Starting at the beginning of this year we’ve seen a significant increase in the number of malicious sites ranking high on popular search terms,” said Craig Schmugar, a threat researcher for McAfee Avert Labs. “What we are seeing is that the attackers are targeting high-ranking sites such as Democrats.org to post their content and cross-linking many Web sites. They are also copy/pasting content from high-ranking Web sites, such as those that appear at the top of Google News results.”
Google took action recently against a number of malicious sites McAfee found were using subjects such as the recent Gmail service outage and the rogue “Error Check System” application on Facebook to boost their rankings and entice victims.
“In all cases, we actively work to detect and remove sites that serve malware from our search index and our ad network, and we immediately suspend accounts found to contain ads pointing to sites that install malware,” a Google spokesperson said. “To do this, we have manual and automated processes in place to enforce our policies. However, it’s important to recognize that this issue affects more than just Google and other search engines, as these afflicted sites are still part of the general Web. We’re always exploring new ways to identify and eliminate malicious sites from our index.”
Beyond what the search engines are doing, security vendors have built technology into their anti-malware products that examines behavior as a way to block suspicious activity. Symantec, for example, just launched a beta of a technology called Norton Safe Web that prescans sites.
“The main challenges are to scan such sites often because how safe they are changes over time and also to improve our accuracy in correctly identifying a bad site versus a good one when we do scan,” said Zulfikar Ramzan, technical director and architect for Symantec Security Technology and Response. “While I [don’t] expect these types of threats to show signs of abating any time soon and while attackers have tricks up their sleeves, I believe [security researchers] can be equally creative on our side to anticipate these surprises and protect people.”