Attackers Improving Search Engine Optimization to Push Rogue Security Tools

In an analysis of a rogue anti-spyware scam, AVG Technologies noted that just 24 hours after a news event, attackers had already gotten their malicious links into five of the top 10 Google search results. The incident highlights the challenges faced by search engines such as Yahoo, Google and Microsoft Bing.

Poisoning search engines results to trick users into visiting malicious sites is not a new tactic. But as an analysis by AVG Technologies shows, it can be very effective.

Examining a rogue spyware campaign that sought to take advantage of interest in the earthquake in Samoa last week, AVG determined that it took just 24 hours for attackers to get their malicious links in Google's top 10 search results.

"The first reports of the Samoan earthquake hit my inbox on Sep 29th at about 4pm EST ," blogged Roger Thompson, chief of research at AVG. "By about 7pm EST, the next day, we started noticing hits on rogue spyware from Google queries. When we looked, we found they had five or six of the top ten results on the Google search results page, well above even places like CNN and The Guardian on queries like 'Samoan Tsunami.'"

Those who clicked on the links to the malicious sites were led to a Website that tried to get users to install a bogus anti-malware program.

The process of abusing search engines such as Yahoo and Google can happen more than one way. For example, in March McAfee found cyber-criminals abused the Google page rank of to improve the chances their malicious links would appear in Google searches. To do this, hackers flooded the community blog feature on the site with bogus posts with malicious links for several weeks.

"The most common spamdexing trick is the creation of doorway pages," noted Mike Haro, a senior security analyst at Sophos. "These pages are designed, usually by automated software, to look good to search engines, and as such contain a high density of search terms. If these pages are planted on popular sites they may get high enough on the search results page. When a visitor clicks on it, the page automatically redirects to an advertised site."

According to eSoft, the majority of the sites being used in these schemes are compromised sites.

A Google spokesman said the company scans Web pages for malware and posts warnings in its search results when malicious content is found. In addition, many rogue sites also get removed from search results altogether.

"We work hard to protect our users from malware," the spokesman said. "Many of these results have been removed from our index. In all cases, we actively work to detect, flag and remove sites that serve malware from our index. We have manual and automated processes in place to enforce our policies. We'll continue to monitor for these bad results and will remove any as necessary. Additionally, we're always exploring new ways to identify and eliminate malicious sites from our index."

AVG's Thompson noted in comments to eWEEK that search engines such as Google have a tough road in front of them when it comes to dealing with the issue.

"What Google does is that they remove the sites from their indexes as soon as they realize what's up, but the sites seem to be up for a day or two in the mean time ... just long enough to take advantage of the hot news," he said. "The point is they've probably figured out Google's indexing algorithm, so that's probably hard for Google to change.

"I think they've been doing [search engine optimization] for ages, but it's become really effective recently," he said.