Sophos Cloud Optix
Earlier this week I was asked to look at how search engine poisoning was being used to drive web traffic to payday loan sites.
It turned out that compromised websites were being abused, in order to attract search engine queries, and drive more traffic to the target site(s).
Regular readers will recognise this technique – it is exactly what we have seen being used to drive traffic to malicious websites for several years now.
Further reading: Find out exactly what ‘Blackhat search engine poisoning’ is.
With search engine poisoning fresh in my mind, I thought it might be interesting to take a look at the current situation regarding malware; how is it currently being used to infect users with malware?
Since we block the redirect used in these attacks as Mal/SEORed, we are able to get insight into which search engines the are managing to poison.
Taking data from the last couple of weeks for search engine redirects blocked on our web appliance, it is clear that the majority of the redirects are affecting those using the Bing search engine.
Of course, this breakdown takes no account of the search engine being used by these customers. Nonetheless, we would expect Google to be the dominant search engine in use, as supported by recent data released by comScore.
Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results.
Clearly the search engine providers are filtering poisoned results far more effectively from regular, text searches.
Unfortunately for users, it is very hard to recognise rogue images within image search results. Can you spot the rogue images within this selection, (seen from doing an image search for ‘movie outline example’)?
Actually, three of the six images shown above are rogue images that the attackers have managed to poison the search results with.
At the time of writing, clicking on any one of these, results in being redirected to a malicious Blackhole exploit site (v2, naturally!).
So what can users do to protect themselves?
Clearly the redirect used in these attacks can be blocked by your security product (by detection or reputation filtering). Sophos products block the redirects as Mal/SEORed.
However, we all rely on the search engine providers managing to filter rogue links out of the search results (text and image searches). The bottom line is that we are all guilty of trusting the results we get back, and clicking through without necessarily scrutinizing the URL as closely as we might.
Unfortunately, whilst any of the popular search engines fail to filter out the rogue links, users will continue to be at risk of having their web traffic hijacked.
I get valuable information from Naked Security. It's a great service. I like there are folks out there, somewhere, looking out for regular users. The information is succinct and easily understood by a non-techie like myself.
Not only Bing search. Few days back, Google image search result redirects me to BHEK2.
http://www.ehackingnews.com/2012/09/google-image-…
I'd love to see the breakouts for text/ image chart wise for each Search provider-
Does the Sophos for Mac AV also protect against webdirects or just downloaded files?
Thanks for the info on these type of attacks. Excellent work.
More relevant searches on duckduckgo or blekko in my opinion anyway. Otherwise, yahoo and bing work fine for me if needing further searching, because google can and has had same issues, too. I no longer use google in any form or manner if I can help it. Just my opinion only.
I agree with DuckDuckGo and Blekko. But another one I never really knew about until recently was Yandex through the Opera browser…I thought it was much better than Google.
It'd definitely be interesting to see the ratio of blocked to non-blocked search results, because it may be the case that people use Bing for image searches more (I know I like the "infinitely-scrolling" preview window in Bing better than Google's "scroll for a while, then hit a button for more results"). Or it may be the case that, as you imply, Bing is going to need to do something better to reduce infected results.
I'm very wary of reports like this where the numbers presented don't quite justify the conclusions drawn – it smacks of playing with statistics.
I agree with your points as well. Problem with statistic reports is that some are biased not because of the person/group/etc doing the report, but what exactly they are targeting the stats for….if that makes sense.
go to BING and look up Valentine backgrounds, click on each one. i can only get to 3 or 4 when i get the notice, wish i could post it here, as i took a screenie. i actually landed her after searching to see if anyone else was getting frustrated over the crap! over 1/2 the images reroute you, but i have a good malware program, because many graphics sites are full of virus’s. as long as they get money from you, they refuse to clean up the ads or the viruses in the ads!
Recommend ixquick.com as a safe search engine
The way that things are going site security is a major problem and needs more sites such as naked security to keep home users aware of continual security threats.