Security software maker Webroot said hackers are now leveraging Google Trends to lure unsuspecting victims to fake blog Web sites riddled with malware.
Launched in May 2006, Google Trends lets searchers enter up to five topics and see how much they’ve been searched on Google, as well as how frequently those topics have appeared in Google News stories around the world.
When Google Trends detects a spike in the volume of news stories for a particular search term, it labels the graph and displays the headline of an automatically selected Google News story written near the time of that spike.
Hackers are apparently leveraging Trends to find out what stories people are most likely to look for, based on the subject’s popularity. To seed their dirty code, hackers construct fake blogs with video links about the news for which users were searching.
News hooks are likely to include popular news stories, such as bits about the presidential campaign, the financial failures on Wall Street or Major League Baseball’s playoffs.
Once a user clicks on one of the video links, they are asked to download a video codec. The codec downloads a rogue anti-spyware program geared to bait the user into buying an illegitimate program that may put their personal information and data at even greater risk.
One question bothered me about this scenario. How does Webroot know that Web sites are using Google Trends for their malware mischief?
Paul Piccard, director of threat research for Webroot, told me that in the course of his research, some of the malware proprietors brazenly mentioned on their Web sites that they leveraged search results from Google Trends as news hooks to lure users.
Hiding malware in video links on fake blogs is hardly new, but leveraging the relevancy Google’s algorithms enable to bolster malicious site traffic is an increasing and disturbing trend. Piccard told me:
“Malware distributors are going to where the people are instead of setting up sites that may or may not be relevant to a user’s interests. Just like a legitimate Web site, they [hackers] are determining how to drive traffic to their Web site to download malware. By looking at Google Trends, they are able to get a better idea of what people are interested in and how they can trick users to click on their links through search results or appear to be relevant to what a user is searching for. If you’re looking for something about Wachovia and the bank group buying them, you’ll start seeing these results, you’ll click on one and you’ll assume it’s legitimate when in fact it’s a malware distribution platform.“
I asked for a link to a specific example of a site but Piccard said that due to the risky nature of their malware missions, the sites go up and down so quickly. But I’ve asked him to keep an eye out and will update with a link to one if it presents itself.
If anyone else out there spots a site they believe delivers malware and mentions Google Trends, please drop me a line.
So what is a user to do? The obvious duty is to be vigilant. Avoid these exploits by refraining from downloading content from sites you’re not certain you can trust.
Webroot said users can also avoid these Google Trends malware traps by installing current Microsoft or Mac security packages and keeping anti-spyware products current.