Poisoned Google search results

Google has been and is very helpful – no doubt about it. But it seems to me that they should try to do something about the poisoned search results problem, otherwise people will start to loose faith in the safety of the results, and perhaps change search engines.

Cyveillance reports that the latest emerging threat to the security of Internet users combines Google search with sites with un-updated software, such as often happens with blogs. These blogs are, of course, indexed by Google and contribute the material that comes up during searches. Some of these blogs have posts with no text – just pictures.

This fact is used effectively by cyber crooks, who compromise existing blogs to get indexed on Google. These “rogue” blogs are regularly and automatically updated with titles like “las vegas rental no credit check” or “uninvited song lyrics alanis morrissette morissette” – titles that intentionally avoid extremely popular subjects so that they don’t get lost in the wide sea of “real” sites that cover those topics.

As previously stated, these blog posts contain only pictures – images that are taken from images.google.com results that turn up if the same combination of words found in the title of the post is entered. Here’s an example (the title of the post is “common and kanye west”):

Each image contains also “alt” and “title” tags that match the words in the title, so as to maximize the probability of the blog being indexed by Google and positioned at or near the top of the search results for those combinations of terms.

And now we’re coming to the crux of the matter: when these links are clicked on, the user is redirected to a malicious site where fake notifications pop-up, notifying the user that his computer is infected by a throng of malware, and ask him to install
the anti-virus solution.

This sites are situated on domains registered with Chinese registrar TodayNIC.com, and bear names such as:

  • premium-protection6.com
  • file-antivirus3.com
  • checkalldata.com
  • foryoumalwarecheck4.com
  • antispy-scan1.com.

While this threat can be sidestepped by copy-pasting the link in the search results directly into the browser (the attack is triggered only if you arrive on the site through Google), unexperienced users are unlikely to know this.

That’s why Google should go through the trouble of examining the URLs that contain “albums/bsblog/category” or “bmsblog/category” (common strings with this kind of sites) and find a way to sift through them and provide reliable warnings.