Google Poisoned Links are Bitter Indeed 3/17/2008 - 552 views, 5 Comments
|
Previous Article « Using the Internet to Buy Discount Perfume
Read Next Article » Using the Internet to Buy Discount Binocular Cameras
Reports emerged this week from a Holland-based internet security consultant, Dancho Danchev, of a new technique - known as poison Google links - being used by hackers attempting to use legitimate Google searches as a vector to smuggle malware onto the machines of unsuspecting users. So far the poisoned Google links all contain the string “IFRAME SRC=//” followed by an IP address, most recently and commonly 72.232.39.252, but that could change in a heartbeat. Example of poisoned Google link search result: The technique exploits a common method that many sites use to assist search bots. User-entered search strings are retained and made available to the bots, which index them and later include them in the search results provided to other users. The hackers targetted several CNET-owned sites, among them ZDNet Asia and TorrentReactor, filling in the search box with the names of frequently-sought actresses. Except they added HTML iframe text containing the payload - links to sites that when accessed attempted to download malicious software with innocent-sounding names, like XP Antivirus 2008 and Spy Shredder Scanner. Don’t be confused, gentle reader, for these are rogues and trojans. Google has long-attempted to identify sites that host malware, and to warn users who click on a suspect URL returned by a search. Yet their best efforts can only slow down and not prevent the online criminals, who in attempting to gain some control of your machine have come increasingly to prefer to gain their access through compromising legitimate sites, using such iframe injection exploits. Indeed, this new exploit is most effective when targeted at legitimate sites having high page ranks. It was reported this week that between 20,000 and 50,000 poisoned Google links were present on the ZDNet Asia site alone, with another 50,000 poisoned links at TV.com and a smaller number for News.com and MySimon.com. So, Windows users, if you see in your returned Google search the telling “IFRAME SRC=//” followed by an IP address, don’t - whatever you do, DON’T - click on the link, for it is almost certainly a poisoned link. Instead, click gently on the back button in your browser and breath a sigh of relief at your narrow escape.
|
|
Email the link for this page to a friend! |
Read more:
» Adult-Themed Website Perfect 10 Sues Google, Amazon Over Search Results
» Google X - Google with OS X Appletude - Killed and Resurrected
» What is Baidu, and Why Should I Care? (BIDU)
For additional similar stories check out our archives on Google, Security
Perhaps some enterprising techie could come up with a utility (widget, gadget, add-in, plug-in, or whatever) that would automatically warn the user that such a string is in the search results.
Comment by Frank Fleischer — 3/17/2008 @ 10:30 am
Seems to me the answer is simple, Google just filters out all search return results with the tell tale ““IFRAME SRC=//” followed by an IP address” in them! Better safe and slightly inconvienced than sorry.
Comment by S. Phibber McGee — 3/18/2008 @ 10:00 am
To the comment posted by S. Phibber McGee:
Yours is an interesting idea, but there could be a legal reason why such a construct would be perfectly ok. What should Google do in these situations? Even maintaining a blacklist of IP numbers is non-trivial.
Comment by Grumpy Old Man — 3/19/2008 @ 7:59 pm
Surely if this is wisesrpead, which it clearly is, then Google are going to have to fitilter such the links out, unless there’s another way to detect sauch practices. Also, this hasn’t just affected Google’s regular results, but those powered by Google’s search appliance too!
Comment by SEO-Alchemist — 3/29/2008 @ 8:15 pm
Maybe “activate” all the FBI listed ex-mafia and employ them to “visit” the people who keep pulling all the crap with virusware, malware etc etc.
Comment by phased — 4/17/2008 @ 1:12 pm