Search engine poisoning: what it is, how it’s done, and how we can stay safe

Two of the biggest threats on the internet today are false AV (rogueware) and false codecs (download this new video codec to see our latest video). Both depend on getting users to visit a malicious or at least compromised server from which they can be tricked into downloading the malware.

Security company Imperva’s latest Hacker Intelligence Initiative report describes one popular and successful method used by the hackers to achieve this: search engine poisoning (SEP). SEP is the manipulation of search engines so that a perfectly legitimate Google (or other search engine) query will produce genuine looking results that in reality take the user to the malicious server.

Noa Bar Yosef, Senior Security Strategist at Imperva

Noa Bar Yosef, Senior Security Strategist at Imperva, explained the process to me. The first step is clearly to develop the server/site that will deliver the malware. But then the hacker has to get people to visit it. This is the purpose of the SEP – to manipulate the Google ranking of the malicious site so that it appears high in Google’s search returns.

One method involves the use of XSS vulnerabilities to provide huge numbers of poisoned URLs. Google’s ranking bots then simply index the URLs; and because there are so many, deliver a high ranking. It involves a process known as Google hacking to discover the vulnerabilities. Google’s advanced search features can be used to discover many things; in this case to deliver a list of pages vulnerable to XSS. Pages that will accept user input without adequately sanitizing that input are the target.

For the next step, cast your mind back to the Kate Middleton bean saga just prior to the royal wedding. A bean was discovered that bore an image with an uncanny resemblance to Kate (personally I thought it looked more like Camilla). The Independent newspaper ran the story – with an URL that read ‘…/kate-middleton-jelly-bean-expected-to-fetch-500/pageid’. But a reader tweeted the story with a different URL: ‘…/utter-PR-fiction-but-people-love-this-shit-so-fuck-it-lets-just-print-it/pageid’. And as the Daily Mail reported:

This version quickly rose up the Google index rankings as it was forwarded between friends and colleagues on email and retweeted more than 600 times.

Before long the top link from a search for ‘Independent’, ‘Kate Middleton’ and ‘Jelly Bean’ had the rude URL.
Embarrassment for The Indy after crude URL appears on Kate Middleton story

The point to remember here is that it was the content of the URL, rather than the content of the page, that was indexed by Google; so that Google searches for those keywords returned that URL. This is the process exploited in SEP. The bad guy selects his keywords (something that is newsworthy and of mass interest at the time, such as Kate Middleton, the death of a famous person, a huge natural disaster, a new war, a major sporting event, etc), and injects an URL containing the relevant keywords into the internet via the XSS vulnerabilities. If he does so enough times, that URL will rise in Google’s rankings. The target is to get the URL onto Google’s top page, so that any innocent user subsequently searching for news on the event will find the poisoned URL, consider it to be safe, and get sent to the malicious server.

Google has become pretty good at locating and removing such poisoned URLs, but many get through for a short time, and some even persist. As the Imperva report comments,

The observed attack was extremely successful, and continued to run for at least 15 months without any apparent counter-measures employed by search engines.
Hacker Intelligence Initiative, Monthly Trend Report #2

So, what can we do about SEP? Webmasters need to take more care to ensure that this cannot happen via their own site. Here the products and services of companies such as Imperva can be invaluable. But as users we also need to take our own precautions by using security features built-into or added onto our browsers. Firefox with M86’s SecureBrowsing add-on (free!) will tell us if the target site is malicious; and the NoScript add-on (free!) will prevent any malware running even if we do go there.

Imperva
SecureBrowsing
NoScript