Julien Sobrier, Zscaler: Search results hijacked to infect users
December 2010 by Julien Sobrier, Senior Security Researcher, Zscaler
Search engines such as Google, Bing and Yahoo! are now the preferred vector for infecting users. Everybody uses a search engine on a daily basis. These sites also provide useful information to attackers when targeting users: which are the most popular search terms, what was a user looking for when he clicked on a search result, etc.
Google Hot Trends provides a daily list of the 20 most popular searches. Attackers hijack thousands of legitimates sites to add spam pages for each of these popular searches. Thousands of new spam pages are then created and indexed each day by Google. The spam pages are tailored to trigger on searches for specific keywords/phrases and are linked to each other across several domain names. This helps to promote the spam pages, by benefiting from the good reputation of other hijacked sites. These Blackhat Search Engine Optimization (SEO) techniques ensure that the spam pages will receive a high rank in overall search results.
Figure 1 Spam page created for a popular search looks like the MTV
Attackers are careful to hide the spam from the webmaster and third party security scanners. No existing page on the hijacked site is modified. Instead, the new pages are added in hidden folders, or folders which do not usually host HTML content (/images, /tmp, etc.). Thousands of spam pages are generated by only 4 to 6 files (php scripts and log files) added to each site. All spam pages are then created dynamically. When a user clicks on one of the spam links within search results, he is redirected to another domain, which typically hosts viruses or malware. In order to fool the user into downloading a malicious file, a page showing fake antivirus running is displayed. The user is warned that his computer is infected by one or more viruses, and that he should download a free antivirus product to fix the problem. The download is initiated automatically, without user interaction. The antivirus product is itslef a virus.
Figure 2 Fake antivirus
Google found that these type of attacks represent approximately 60% of all threats currently found. We have found that in some instances, more than 50% of total search results lead to a fake antivirus page. All international and popular events (Prince Harry’s wedding, the latest gossip about a star, etc.) are used to infect many users. Zscaler has shown that it is more dangerous to use a search engine for popular searches than surfing Twitter!