Searching for images on Bing? Beware malicious search engine poisoning

Filed Under: Featured, Malware, Microsoft, SophosLabs

BingEarlier this week I was asked to look at how search engine poisoning was being used to drive web traffic to payday loan sites.

It turned out that compromised websites were being abused, in order to attract search engine queries, and drive more traffic to the target site(s).

Regular readers will recognise this technique - it is exactly what we have seen being used to drive traffic to malicious websites for several years now.

Further reading: Find out exactly what 'Blackhat search engine poisoning' is.

With search engine poisoning fresh in my mind, I thought it might be interesting to take a look at the current situation regarding malware; how is it currently being used to infect users with malware?

Since we block the redirect used in these attacks as Mal/SEORed, we are able to get insight into which search engines the are managing to poison.

Taking data from the last couple of weeks for search engine redirects blocked on our web appliance, it is clear that the majority of the redirects are affecting those using the Bing search engine.

Of course, this breakdown takes no account of the search engine being used by these customers. Nonetheless, we would expect Google to be the dominant search engine in use, as supported by recent data released by comScore.

Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results.

Clearly the search engine providers are filtering poisoned results far more effectively from regular, text searches.

Unfortunately for users, it is very hard to recognise rogue images within image search results. Can you spot the rogue images within this selection, (seen from doing an image search for 'movie outline example')?

Actually, three of the six images shown above are rogue images that the attackers have managed to poison the search results with.

At the time of writing, clicking on any one of these, results in being redirected to a malicious Blackhole exploit site (v2, naturally!).

So what can users do to protect themselves?

Clearly the redirect used in these attacks can be blocked by your security product (by detection or reputation filtering). Sophos products block the redirects as Mal/SEORed.

However, we all rely on the search engine providers managing to filter rogue links out of the search results (text and image searches). The bottom line is that we are all guilty of trusting the results we get back, and clicking through without necessarily scrutinizing the URL as closely as we might.

Unfortunately, whilst any of the popular search engines fail to filter out the rogue links, users will continue to be at risk of having their web traffic hijacked.

, , , , , , ,

You might like

11 Responses to Searching for images on Bing? Beware malicious search engine poisoning

  1. Marti Grace Ashby · 696 days ago

    I get valuable information from Naked Security. It's a great service. I like there are folks out there, somewhere, looking out for regular users. The information is succinct and easily understood by a non-techie like myself.

  2. @BreakTheSec · 696 days ago

    Not only Bing search. Few days back, Google image search result redirects me to BHEK2.
    http://www.ehackingnews.com/2012/09/google-image-...

  3. @erikford · 696 days ago

    I'd love to see the breakouts for text/ image chart wise for each Search provider-

  4. dontask · 695 days ago

    Does the Sophos for Mac AV also protect against webdirects or just downloaded files?

  5. @RainyDayDosh · 692 days ago

    Thanks for the info on these type of attacks. Excellent work.

  6. Vetal · 692 days ago

    More relevant searches on duckduckgo or blekko in my opinion anyway. Otherwise, yahoo and bing work fine for me if needing further searching, because google can and has had same issues, too. I no longer use google in any form or manner if I can help it. Just my opinion only.

    • Timmy · 692 days ago

      I agree with DuckDuckGo and Blekko. But another one I never really knew about until recently was Yandex through the Opera browser...I thought it was much better than Google.

  7. Alun Jones · 692 days ago

    It'd definitely be interesting to see the ratio of blocked to non-blocked search results, because it may be the case that people use Bing for image searches more (I know I like the "infinitely-scrolling" preview window in Bing better than Google's "scroll for a while, then hit a button for more results"). Or it may be the case that, as you imply, Bing is going to need to do something better to reduce infected results.
    I'm very wary of reports like this where the numbers presented don't quite justify the conclusions drawn - it smacks of playing with statistics.

    • Timmy · 692 days ago

      I agree with your points as well. Problem with statistic reports is that some are biased not because of the person/group/etc doing the report, but what exactly they are targeting the stats for....if that makes sense.

  8. mcnash · 669 days ago

    Recommend ixquick.com as a safe search engine

  9. lukeclayhill · 589 days ago

    The way that things are going site security is a major problem and needs more sites such as naked security to keep home users aware of continual security threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.