Search Engine Poisoning: the method and the myth

‚”Search engine poisoning‚”, or SEP describes a cyber-criminal technique to inundate search results with links to pages that redirect users to malicious websites. JUSTIN LEE, country manager of Blue Coat Systems explains the methods used and debunks a few myths.

By optimising search engine results to display links to malicious websites, cyber criminals lead innocent searchers to malware or scam destinations. The objective is to infect as many users as possible, steal their personal information and use this for financial gain, and, so far, it has proved very effective.

The Method

According to research from Blue Coat Security Labs, SEP was responsible for 40% of all malware entry points tracked, and is the primary method used by cyber criminals to gather users and route them to malware through malware networks (or ‚”malnets‚”). Once users click on the malicious search result, they are led down a path to malware that is designed to either co-opt their system into an existing botnet or steal personal, confidential or financial information. Malnets are sophisticated, complex and dynamic infrastructures that exist far beyond any one attack. Since searching is the way most people start to navigate the web, search engines provide the perfect arena for these attacks to flourish.

This is because malnets work by hiding behind the most popular places on the internet, and search engines represent just that. Every day, billions of people worldwide use search engines, therefore they are a prime target for cybercriminals. It is also the nature of user behaviour while using search engines that makes search engine poisoning such an attractive attack option, as users are in an ‚”explore‚” mode of thinking, clicking on links, going from site to site. This is precisely how criminals snare their victims: users are led to malicious websites by clicking through links on seemingly legitimate web pages, then the malware is downloaded to the computer without them knowing.

The Myth

To spread malware via search engines, cyber criminals create ‚”poisoned‚” links that will rank high in search engine results. It is a common misconception that big events such as elections, public holidays, celebrity gossip or sporting tournaments are the prime target for SEP, however, our research further shows that this is simply not the case. Big events drive a lot of legitimate coverage from recognised news sources, therefore it is harder for cyber criminals to get their web pages ranked in the top 10, 20 or even 30 search results. Studies show that 94% of users click on a first page search result, and less than 6% click on a result on the second page, which is why, for an SEP attack to be successful, top ranking is absolutely imperative. For breaking news events such as a celebrity death or natural disaster, the bad guys understand their malicious site will simply not be able to compete with the legitimate coverage.

Therefore, cyber criminals can be more successful when they hijack more mundane, everyday topics. Terms such as ‚”granny porn‚” may happen rarely and might only be searched for by a relatively small number of people, but it will be much easier for the malicious webpage to creep higher up the search engine rankings, and if just one person clicks through, that’s a success.

Of course, search engines such as Google, Yahoo and Bing are on an ongoing mission to filter out malicious content, but in spite of their best efforts, the problem is far from solved. The techniques behind these attacks are highly advanced, the perpetrators highly organised and the malnets infrastructures are highly dynamic, changing far too quickly for traditional security such as firewalls and basic web filtering tools to keep pace.

Google and Bing offer a ‚’safe preview’ mode which can help to protect users, and systems administrators can help prevent these attacks by blocking certain categories or domains with a secure gateway that intercepts traffic to and from malware sites. But in order to avoid falling victim to these threats, users must learn what to look out for and how to recognise when a website is legitimate or not, and of course be less forthcoming with their personal details. With one in every 142 searches leading to a malicious link, it is vitally important that we dispel the myths, and educate users on where these threats actually reside, and how to spot the danger hiding amongst the mundane.

*