If you thought malware popups and relentless email spam were the worst of it, think again. There’s a new contender on stage and it’s spreading malware like butter in desert heat. It’s called search engine poisoning and hundreds of thousands, even millions, of people have fallen victim to it all over the globe.
Here’s the thing about malicious intent: the worst forms of villainy occur when the bad guys take something that is good and use it for evil. The search engine is a fantastic development. Without it, we wouldn’t have Google–and where would the world be without Google? But search engine poisoning is all about taking that good search engine and manipulating it to do something dastardly.
But before we can talk about the actual poisoning of search engines, we need to talk about search engine optimization.
Search Engine Optimization 101
Search engine optimization (SEO) is a legitimate tactic used by web owners to optimize their websites for search engine placement. Go to Google and search for anything–fishing, video games, clothing brands, news articles. Now, scroll down through the results. In most cases, your desired result will be on that first page.
How many times do you ever click “Next” to skim through more results? How often have you gone to the fifth page? The tenth? My bet would be on “extremely rarely.” And that is why SEO is so valuable. The more you optimize your website, the higher it will be ranked, thus more people will visit it.
Search engines keep their search result ranking algorithms guarded well–perhaps even better protected than Colonel Sanders and his chicken recipe. However, we do know a few things about search ranking criteria:
- Webpages that are cross-linked within the same domain or website will increase search ranking. Similarly, if a certain page has many incoming links from outside sources, its ranking will increase.
- Search keywords and search phrases play a major role. Thus, if you want to target a particular phrase (e.g., “gardening tips”), you’ll need to repeat that phrase multiple times throughout your page(s). This is called “keyword stuffing.”
- Proper page structure (bolding, anchors, H1 tags, etc.) will help raise your ranking because it helps search engine crawlers to better parse your web content.
There are numerous other factors involved; the above were just examples to show you a glimpse of what SEO is about.
Poisoning Search Results
Now that you know about SEO, we can move onto search engine poisoning (SEP). SEP is a method that malicious spammers use to quickly spread malware around the Internet. Remember how I mentioned malware popups and email spam? Well, SEP is on a whole other level.
SEP can be viewed as a corruption of SEO. Whereas legitimate websites use SEO to gain higher rankings in a search engine, malware producers use SEO to place their malware-infection-spreading high on search engine results. Most web users tend to trust the first page of a Google search, and that presents a prime location for off-guard users.
So in theory, you could search for “shiny black shoes” and click on the third link in the results and be taken to a malicious website that installs something terrible onto your computer. In actuality, the scenario is a little worse than that.
SEP specialists are very quick to adapt to a frequently-changing environment. That’s why they will target specific keywords that are extremely popular in order to maximize their page hits. Think about when Osama bin Laden was killed or when the iPhone 4S was released. Millions of people around the world were searching for those terms–and poisoned search results ended up infecting many users with malware.
How To Protect Against SEP
In one case, Imperva disclosed information regarding a particular SEP campaign that lasted 15 months without detection by search engines. Upon hearing this, you might be shocked, frightened, or angry. Search engines should protect their users against this kind of trickery, right?
But it’s not that easy. Due to advancements in technology, SEP websites can detect whether a visitor to their website is a genuine person or a search engine crawler. If it’s a crawler, they’ll display a fully legitimate website and the crawler won’t know any better. If it’s a genuine user, he’ll be bombarded with malware.
Furthermore, search engine poisoning specialists can exploit vulnerabilities in popular websites and inject malicious code that redirects their users to the malware-infested website. Most of the time, this is done through cross-site scripting (XSS) vulnerabilities. And in this case, Google already sees those websites as legitimate, making it that much harder to distinguish true websites from SEP-malware-spreading websites.
So until search engines can find a way to combat this problem, you will need to protect yourself. Here are some ways you can do that.
- Learn to identify websites that might be destinations for an SEP campaign. Lots of popup ads, suffocating web ads, and especially “scareware portals” that trick you into thinking you already have malware and prompt you to install their “antivirus”.
- When searching for popular topics, you should directly type the URL of notable websites into your browser. Try to rely less on clicking search engine results.
- Enable your browser’s security features now. If you visit a website and your browser warns you that it might be fishy, leave right away.
- Make sure your antivirus, antimalware, and firewall programs are all up-to-date.
- Zscaler has created an addon/extension that aims to protect users against poisoned search results. You can grab it for Firefox and Chrome.