Dec. 3, 2007 at 3:49 PM ET
You might want to take an extra half-second the next time you click on search engine results to make sure you know where you're going. Computer criminals have refined a sinister technique for tricking Web surfers into clicking on infected Web pages, turning search engines like Google into unwitting partners.
It's known as “Google poisoning,” because Google is the biggest target, but it can impact any search engine. Criminals construct booby-trapped Web pages, then dupe search engines into giving them high rankings.
Last week, security research firm Sunbelt Software found that a simple search for something like "funny dog picture" on Google directed searchers to Web sites hosted on Chinese domains. Those who clicked on the links were pushed to install a malicious program named "Spy-shredder."
Last week alone, criminals posted 40,000 to 50,000 of these malicious pages in a single, coordinated attack, said Alex Eckelberry, CEO of Sunbelt.
"What has surprised security researchers was the scale of this,” Eckelberry said. “This was a very big attack, a very fast bolt from the blue."
Those who fell for the trick suffered “a bad infection,” he added. “There was a lot of nasty software out there.”
Google removed the links from its database immediately when notified, Eckelberry said. But the criminals were back the next day with more virus-laden Web sites on different domain names.
A Google spokeswoman who declined to be identified said the company is aware of the problem and working to keep its results clean.
"Google works hard to preserve the quality of our index,” the company said in a statement. “We actively identify sites that serve malware or abuse our quality guidelines in other ways."
Not new, just more sophisticated
Publishing booby-trapped Web sites or “gaming” Google's search algorithms aren’t new practices. Readers of this column might remember a recent entry concerning Search Engine Optimization. Called "SEO" by practitioners, search engine optimization runs the spectrum from legitimate linking to affiliated Web sites to the creation of hundreds of fake sites designed to artificially inflate Google rankings, which essentially judge how many links a Web page attracts.
URLs that end in .CN could arose suspicion
But criminals are now combining SEO tactics and booby-trapped Web pages, and doing it systematically. By posting tens of thousands of Web sites simultaneously, criminals can take over all the top spots on a search results page, casting a wide net that’s more likely to catch Web users.
Eckelberry described these criminals as "SEO Gods," saying they can "take any site and get it on the first page of Google results."
'Comment spam' also a problem
In addition to cross-linking all these fake Web sites, criminals are also engaging in "comment spam" to enhance their search engine rankings, said Zulfikar Ramzon, a researcher with antivirus firm Symantec Corp. Popular blogs -- including the Red Tape Chronicles -- are regularly bombarded with computer-generated, meaningless comments that include a link to another site. By getting a link on a popular Web site, the spammer’s Google ranking improves. We try to keep comment spam off MSNBC.com, but it often slips onto blogs all around the Web.
No one knows how successful the tactic is, though Eckelberry points out the criminals wouldn't keep doing it if it didn't work. Still, even an attack of 40,000-50,000 fake Web sites still represents an infinitesimal portion of the sites in Google's index, making the odds of any individual consumer encountering a poisoned Google link still quite small.
"I don't want people to get scared of Google," he said. “Google is impressive with how quickly they remove bad sites.”
RED TAPE WRESTLING TIPS
It's wise to look both ways even when crossing a quiet street, and it's wise to take an extra glance before clicking on a search engine link. Google makes this easy by listing the URL under each search result. In the most recent attack, potential victims might have noticed the .cn suffix on the end of each domain name, a signal that the Web site might be in China and might include unexpected content.
That's not a foolproof strategy, however. Computer crooks sometimes deploy a technique called "Google cloaking," which tricks the search engine into displaying the wrong URL on search results pages, Eckelberry said.
Old advice also works well here: Keep up with security patches. This latest set of attacks relied on vulnerabilities that allow a Web site to install software onto a visiting computer without a user's knowledge. Fully patched systems merely received a pop-up window inviting users to download video software -- a much easier attack to avoid. Again, this is not a foolproof protection, but keeping your security current severely decreases your odds of being infected by Google poisoning.
Finally, Eckelberry recommends that Windows users set up separate user accounts for their children. That will limit the damage that a child can do by searching the Web with your computer.