Actu
Julien Sobrier, Senior Security Research at Zscaler: Search engine hijacking, other attacks and scams
December 2010 by Julien Sobrier, Senior Security Research at Zscaler
Search results in popular search engines are often poisoned in an effort to lead users to fake anti-virus pages (see “Search results hijacked to infect users”). The efficiency of this technique is attracting an ever expanding group of scammers and attackers.
Some attacks leverage known vulnerabilities in web browsers and popular browser plugins, such as Adobe Flash , Adobe Reader (PDF) or Java. Attackers are now also leveraging other fake software such as fake Flash updates, fake Firefox updates, fake video codecs, etc. The overall technique is always the same: the visitor is warned that his Flash version is too old to watch a video, that there is a new Firefox version available to fix security issues or that additional video codecs or players are required to stream content. These pages often look like a well known legitimate site, such as YouTube or the official Firefox site. All these fake software versions are in fact malware.
Figure 1. Fake warning about new Flash and Firefox versions
Other attackers spam search results to bring users from Bing/Yahoo/Google to fake search engines. These fake search engines display new results for the same query entered by the user on the legitimate search engines. These links are actually paid ads. The fake search engines make money each time a user clicks on a link. To hide the source of the traffic from the ad networks, the attackers redirect users to multiple servers. That way, it looks like a few clicks are coming from many websites, instead of many clicks from one site. In this example, the attackers are scamming the ad networks and their clients, the users are simply used as a tool to provide the needed clicks.
Figure 2. Each search result is actually a pay-per-click ad.
The scammers also try to get money directly from users by selling them a monthly subscription to download a file they are looking for. These sites use the keywords typed by the visitor on Google, Yahoo and Bing to come up with a file name. For example, if a user looked for “deadliest catch”, these download sites claim that the file “deadliest catch.rar” is available for download … after paying a few euros or dollars.
Figure 3. Download page for a file which does not actually exist
Attackers always come up with new techniques to scam or infect users: fake online stores where all downloadable software is actually malware, free movie streaming sites that require a video player to be installed first, etc. The poisoning of search engine results and the hijacking of legitimate sites to host spam will keep happening as long as there is money to be made, or until Google, Yahoo and Bing clean up their results. Users must be aware of these threats, and should know that the search results from their favorite search engine are not always safe.
