Earlier this week I was asked to look at how search engine poisoning was being used to drive web traffic to payday loan sites.
It turned out that compromised websites were being abused, in order to attract search engine queries, and drive more traffic to the target site(s).
Regular readers will recognise this technique – it is exactly what we have seen being used to drive traffic to malicious websites for several years now.
Further reading: Find out exactly what ‘Blackhat search engine poisoning’ is.
With search engine poisoning fresh in my mind, I thought it might be interesting to take a look at the current situation regarding malware; how is it currently being used to infect users with malware?
Since we block the redirect used in these attacks as Mal/SEORed, we are able to get insight into which search engines the are managing to poison.
Taking data from the last couple of weeks for search engine redirects blocked on our web appliance, it is clear that the majority of the redirects are affecting those using the Bing search engine.
Of course, this breakdown takes no account of the search engine being used by these customers. Nonetheless, we would expect Google to be the dominant search engine in use, as supported by recent data released by comScore.
Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results.
Clearly the search engine providers are filtering poisoned results far more effectively from regular, text searches.
Unfortunately for users, it is very hard to recognise rogue images within image search results. Can you spot the rogue images within this selection, (seen from doing an image search for ‘movie outline example’)?
Actually, three of the six images shown above are rogue images that the attackers have managed to poison the search results with.
At the time of writing, clicking on any one of these, results in being redirected to a malicious Blackhole exploit site (v2, naturally!).
So what can users do to protect themselves?
Clearly the redirect used in these attacks can be blocked by your security product (by detection or reputation filtering). Sophos products block the redirects as Mal/SEORed.
However, we all rely on the search engine providers managing to filter rogue links out of the search results (text and image searches). The bottom line is that we are all guilty of trusting the results we get back, and clicking through without necessarily scrutinizing the URL as closely as we might.
Unfortunately, whilst any of the popular search engines fail to filter out the rogue links, users will continue to be at risk of having their web traffic hijacked.