Attackers manipulating Google search to return malicious pages higher on the results page is nothing new. However, researchers have recently noticed similar tactics on Google’s image search results.
Researchers reported encountering malicious search results on Google image search as early as April 19. As of April 29, the search results are still poisoned. Attackers are jumping on topics that are currently popular, including the royal wedding between Britain’s Prince William and Catherine Middleton and the White House releasing President Barack Obama’s birth certificate.
Adversaries “are quick to pounce on user curiosity for their own gain,” wrote Steve Ward on the Invincea blog.
Attackers are using poisoned SEO links techniques to feed malicious links to users, and instead of just relying on text searches as has been done in the past, there’s been a marked increase in links pointing to rogue sites from image search. Users looking for the latest images from the royal wedding, such as the bride’s dress or wedding cake, for example, are at risk because they generally are not looking at the linked URL before clicking.
“Nothing is sacred out there, folks,” Ward wrote.
Websense Security Labs Threatseeker network detected that Google Image search returned poisoned pictures which would redirect users to pages running the Neosploit malware kit, Websense’s Xue Yang posted on the Security Labs blog. The attack sites have been modified, sometimes redirecting to Neosploit, and other times to a fake antivirus site, according to Yang.
In the case of the Neosploit kit, the attack site downloads a payload customized for the user’s operating system, browser and installed software, wrote Yang. In one example, the attack site downloaded a PDF file targeting three Adobe Reader vulnerabilities and was not detectable by several major antivirus scanners. Neosploit is readily available on the black market and several variants exist exploiting various vulnerabilities, including MDAC, Active X and the aforementioned Adobe Reader.
Black hat SEO campaigns often trick users into downloading fake antivirus software. While Firefox and Mozilla detect several of the malicious links, there are several that don’t get trapped, easily tricking users. This happened to several colleagues at eWEEK recently, who had downloaded innocuous images, such as a clip art of a question mark, and were shown a prompt indicating the antivirus was not running. Clicking on the button to “turn on” the antivirus launched a fake antivirus called, “Windows 7 Security 2011.”
Some of the images returned when searching on President Obama’s birth certificate, using terms like “Obama birth certificate,” directed users to malicious sites that used a Java exploit to install a rogue Security Shield antivirus or XP Anti-Spyware 2011, according to Christopher Boyd, a senior threat researcher at GFI Software.
Some fake antivirus software aren’t content with just popping up a screen and demanding a credit card numbers. There are some fake AV scams that go ahead and sets up connection with a command-and-control server, Ward said.
Users should be aware that there are malicious links and be alert. When looking at any kind of search results, instead of clicking automatically on the first result, they should look at what the URL looks like to try to determine its authenticity. Downloads should always be from well-known sites, wrote Manuel Humberto Santander Pelaez, a community SANS instructor at SANS Institute on the Internet Storm Center.
Users should consider defending the perimeter, such as running and regularly updating a desktop firewall and an antivirus scanner. Firefox users should consider installing the no-script add-on as it can block Neosploit, according to Pelaez.
Enterprises should consider protecting the user from the network by looking at sandboxing technologies that prevent exploits from leaking into the rest of the network, according to Anup Ghosh, chief scientist of Invincea. “As was the case with another famous fairytale wedding, this one involves getting your users to take a bite from the poisoned apple,” Ghosh said.