IE 11 is not supported. For an optimal experience visit our site on another browser.

New cyber-trick: search engine spam

Symantec Corp.

Some e-mail and Google users might not feel quite so lucky right now. Search engine spam is the latest technique for getting unwanted online advertisements in front of Internet users' eyes, and it appears to be an overnight success. The key to this new trick, researchers say, is outwitting Google's "I'm Feeling Lucky" feature.

With traditional spam finally losing traction among e-mail users, spammers have stepped up their pace of innovation. Last year, they adopted new techniques like image spam, .pdf spam and even audio spam. These disappeared as quickly as they came. But starting in January, spammers began flooding inboxes with a new kind of spam that uses a much simpler form of deception. In the body of these e-mails, recipients see what looks like a link to Google search results -- and in fact, that's what it is. There's trouble, however, on the other side of that link.

The attack combines two tactics. First, spammers game Google so the Web site they want recipients to visit ranks at the top of the search engine results. Second, they alter the URL pasted in e-mails so users who click on the link go directly to the top result via Google's "I'm Feeling Lucky" feature – bypassing a stop at Google's Web site.

Symantec Corp.

Here's what one of the specially crafted URLs looks like:

The technique apparently works. One-fourth of all spam sent in January was "search engine spam," according to e-mail security firm MessageLabs.

Spam filter software often works by blacklisting domains that are known haunts for spammers, or by directing e-mail with links to those domains into junk mail folders. But these tools can't filter out every e-mail with a Google link -- that would send too many legitimate e-mails to the trash.

"When you first hear this is you think, 'What an easy way to (get around) blacklists,'" said Mark Sunner, chief technology officer of MessageLabs. "It is indicative of the back and forth security firms have with bad guys."

Sunner said the firm detected virtually no search engine spam in December, but has seen a huge spike since New Year's Day.

Officials at security firm Symantec first saw evidence of the Google spam trick in November, but it wasn't widely exploited until last week, when use of the technique doubled almost overnight, said Doug Bowers, director of anti-abuse engineering.

"This is the next iteration of something we've seen for a while, this approach of hiding in spam a link to something that looks legitimate," Bowers said. Consumers have largely become immune to suspicious-looking Web links in e-mail, Bowers said, but a link to Google has an air of authenticity.

"For these kinds of attacks, the more mainstream you can be, the better. And you can't get any more mainstream than Google," he said.

Google says it's got a fix

A Google spokeswoman who asked not to be named said the company has seen "I'm Feeling Lucky" attacks, but added that help is on the way.

"Google began deploying a fix that should block most of these 'I'm Feeling Lucky' redirects, and we will work to reduce such issues in the future," she wrote in an e-mail.

While MessageLabs says hackers have tried similar techniques with other search engines, Google is the principal target.

So far, the search engine attacks are limited to annoying spam, according to Symantec. But officials there are worried that the technique will be used by criminals to trick users into installing viruses on their machines.

Google is already fighting other sinister tactics employed by virus writers. Late last year, criminals developed "Google poisoning," which tricks the search engine into displaying links to virus-laden Web sites.

Google has countered by displaying a warning to users in its search results, and in some cases, preventing users from clicking on links to infected sites.


Be skeptical about links that appear in your e-mail. Only on rare occasions would someone send you a link to Google search results, and that should be obvious from the context: "Hey, look at all the places that link to Alan Boyle's excellent Cosmic Log science blog":

Otherwise, ignore such links in e-mail. And of course, you can always re-create the search manually by typing in the search term in Google on your own. You might still get the same spammy results, but at least you'll get a preview of them on the Google search results page.

You can't click on what you can't see. Symantec's Bowers suggests using a spam filter that keeps such tricky e-mails out of your inbox in the first place.