Reports emerged this week from a Holland-based internet security consultant, Dancho Danchev, of a new technique – known as poison Google links – being used by hackers attempting to use legitimate Google searches as a vector to smuggle malware onto the machines of unsuspecting users.
So far the poisoned Google links all contain the string “IFRAME SRC=//” followed by an IP address, most recently and commonly 72.232.39.252, but that could change in a heartbeat.
Example of poisoned Google link search result:
The technique exploits a common method that many sites use to assist search bots. User-entered search strings are retained and made available to the bots, which index them and later include them in the search results provided to other users. The hackers targetted several CNET-owned sites, among them ZDNet Asia and TorrentReactor, filling in the search box with the names of frequently-sought actresses. Except they added HTML iframe text containing the payload – links to sites that when accessed attempted to download malicious software with innocent-sounding names, like XP Antivirus 2008 and Spy Shredder Scanner. Don’t be confused, gentle reader, for these are rogues and trojans.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Google has long-attempted to identify sites that host malware, and to warn users who click on a suspect URL returned by a search. Yet their best efforts can only slow down and not prevent the online criminals, who in attempting to gain some control of your machine have come increasingly to prefer to gain their access through compromising legitimate sites, using such iframe injection exploits. Indeed, this new exploit is most effective when targeted at legitimate sites having high page ranks. It was reported this week that between 20,000 and 50,000 poisoned Google links were present on the ZDNet Asia site alone, with another 50,000 poisoned links at TV.com and a smaller number for News.com and MySimon.com.
So, Windows users, if you see in your returned Google search the telling “IFRAME SRC=//” followed by an IP address, don’t – whatever you do, DON’T – click on the link, for it is almost certainly a poisoned link. Instead, click gently on the back button in your browser and breath a sigh of relief at your narrow escape.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Google now have the “this site may be dangerous” warning that is put on any pages which have been reported for this type of thing. Has definately made surfing a lot safer and I get less calls from friends and family moaning about virus’ etc.
Maybe “activate” all the FBI listed ex-mafia and employ them to “visit” the people who keep pulling all the crap with virusware, malware etc etc.
Surely if this is wisesrpead, which it clearly is, then Google are going to have to fitilter such the links out, unless there’s another way to detect sauch practices. Also, this hasn’t just affected Google’s regular results, but those powered by Google’s search appliance too!
To the comment posted by S. Phibber McGee:
Yours is an interesting idea, but there could be a legal reason why such a construct would be perfectly ok. What should Google do in these situations? Even maintaining a blacklist of IP numbers is non-trivial.
Seems to me the answer is simple, Google just filters out all search return results with the tell tale ““IFRAME SRC=//â€? followed by an IP address” in them! Better safe and slightly inconvienced than sorry.
Perhaps some enterprising techie could come up with a utility (widget, gadget, add-in, plug-in, or whatever) that would automatically warn the user that such a string is in the search results.