A Google search can be a risky undertaking. Many users will click one of the first links that shows up in the search results, and few think twice about whether or not a link may lead to spam or malware.
In a frequent practice known as “SEO poisoning,” online criminals tweak search results for popular topics so that sites containing malware rise to the top.
For example, poisoned search results were already appearing in Google within a few hours of the Japanese earthquake today (March 11).
In some cases, just viewing one of these pages in a browser can be enough to infect a PC — a “ drive-by download ” over which the user has little or no control.
In other cases, the user is told his computer is already infected, and that he needs to download and install antivirus software — which is itself malware in disguise. Security experts label these as “ rogueware ” or “fake AV.”
Stopping the bad guys
Google is stepping up efforts to prevent fake AV sites from showing up in its search results, according to Michael Sutton, vice president of security research with the Sunnyvale, Calif.-based security company Zscaler.
“Google isn't actually removing the malicious results from their index, but they are including warning messages to ensure that users are aware that the site may have been compromised,” he said.
Warning messages shows up under each suspicious link, stating, “This site may be compromised.”
Google has two teams dealing with malicious content and spam. The “security” team’s main goal is to find malicious sites and add them to Google Safe Browsing, which is used by most web browsers (Firefox, Safari and Chrome) to block malicious and phishing sites.
The “spam” team’s job is to clean the search index and search results of spam pages.
To find bad sites, Google scans suspicious URLs, accessing them in different ways to see if they lead to different domains.
Needing to do better
Sutton noted that currently, Google is catching about 44 percent of the fake AV sites that are active. He believes Google can do better.
“The main problem is that when the Security Team finds a hijacked site leading to a fake AV page, the hijacked page is not removed or flagged in the search index by the spam team,” Sutton explained.
“Also, if the hijacked page does not contain any malware, it ‘just’ redirects users to another malicious domain hosting a malware. Until very recently, Google did not want to block these types of redirection pages.”
Most SEO poisoning “kits” secretly operate within legitimate websites whose operators are unaware their servers are being used to lure victims toward malware — and whose owners would not want Google to block them, hijacked or not.
Google, however, has recognized the problem of fake AV sites since 2007. As reported on the April 14, 2010, Google blog, research has been conducted to determine the prevalence of fake AV.
"We've made significant progress in our technology to counter fake anti-virus scams, and as a result, we've seen fewer instances of malicious search results and much shorter lifespans for fake AV scam websites, now often under an hour,” a Google spokesperson told SecurityNewsDaily.
“Google has worked to help protect users from these scams for the past four years, and we're always improving our methods."
In February, Google added a feature to its Chrome browser that enabled users to block search results from certain sites, although it didn’t publicize the feature until this week.
What can users be looking for to make sure the link they are clicking on is safe? Consider downloading a plug-in for the browser that can detect malicious sites (Zscaler has a plug-in for Firefox).
Also, make sure the anti-virus software on the computer is up-to-date. Good AV will catch the fake AV sites.
- Tips to Avoid Japan Earthquake Phishing Scams
- Suckers! A Decade of Successful Internet Scams
- It's Not the IRS, the FDIC or Facebook: How to Avoid Email Phishing Schemes