Search engine results poisoned with links to fake antivirus software have been a constant problem for Internet users. However, it is an effective way for cyber attackers to infect users’ machines. Google recently presented a research paper regarding websites that offer fake antivirus software and part of Google’s research shows that search engine results can lead to such pages. The presentation demonstrates that Google is working hard at preventing these search poisoning attempts.
According to Symantec’s Report on Rogue Security Software, the culprits of these “toxic” search results are typically scam perpetrators who use
a range of black hat search engine optimization (SEO) techniques to poison search engine results and increase the ranking of their scam websites on search engine indexes. A rogue security software program is a misleading application that pretends to be legitimate security software, but provides the user with little or no protection. In some cases, it actually facilitates the installation of malicious code that it claims to protect against.
Symantec has observed search results constantly and generated statistics on the top search trends every hour and determined how many were malicious (within the first 70 Google search results). From the findings, it was observed that hackers have a vested interest in ensuring that their attacks are effective in poisoning Google results, most likely because of its large market share—Google’s breadth and speed of indexing also play a role.
The key findings identified between March 30, 2010, and April 18, 2010, on Google search results are:
• On average at any given hour, 3 out of the top 10 search trends contained at least one malicious URL within the first 70 results.
• On average, 15 links out of the first 70 results were malicious for search terms that were found to be poisoned (had at least one malicious URL).
• On average on any given day, 7.3% of links are malicious in the top 70 results for top search terms (see Figure 1)
• The most poisoned search term resulted in 68% of links leading to malicious pages in the first 70 results
• Almost all of the malicious URLs redirect to a fake antivirus page.
The following graph shows the total number of malicious URLs (red) found in a given day versus total URLs checked (the top 70 results for the top 10 search terms each hour):
Figure 1: 7.3% of links are malicious in the top 70 results for top search terms on average on any given day.
It is apparent that the attackers continue to be effective at poisoning search results. They have an automated infrastructure that is able to automatically collect the latest, most popular search trends and poison the results. Symantec advises you to be careful when clicking on search result links, especially when searching for hot search topics. You can also follow Symantec’s Twitter feed to find out the latest news on Internet threats.
For more information, please visit Symantec’s Security Response Blog which discussed this issue.