Searching for Security

Search engine results are increasingly leading to malware infection
Search engine results are increasingly leading to malware infection
Graham Cluley, Sophos
Graham Cluley, Sophos

“Search engines are like a door into the internet”, says Carl Leonard, security research manager at Websense. “People immediately jump to popular search engines to get access to information.” This, he says, is something that those with malicious intentions know to exploit.

Sophos’ senior technology consultant Graham Cluley explains further. “The issue most of us face as we’re using search engines all the time is that hackers are exploiting the wide breadth that search engines have, to try and spread infections.”

Search engines however, are increasingly trying to mitigate the risks. “If you google something and some of your search results are web pages that contain malware or phishing pages, there is a chance that the search engine will mark those as potentially harmful”, Cluley says.

"Once you’ve got one door shut, hackers and spammers are always looking for another, different door that opens"
Christine Vonderach

It’s in a search engine’s best interest to try and protect their users against various threats appearing through search results. “They want people to use their engine over and over again; they don’t want the users to have a bad experience and blame the search engine for taking them somewhere unpleasant, even though it’s not really the search engine’s fault as such”, he adds.

Although search engines have filters in place to protect users, some sites will invariably fall through the net, and Cluley warns that people should not rely solely on search engines for their malware protection, but install their own anti-malware and security software.

The SEO Threat

There’s an increasing trend of hackers using search engine optimization (SEO), which is a technique to get a site as high in search results as possible on certain search terms, to lure users to malicious websites. It gets complicated because search engine optimization is also used by legitimate websites such as CNN to attract readers to their news stories.

SEOing is the art of repeating keywords and having outgoing and incoming links in order to appear high in search results on chosen search terms.

“When a celebrity dies, the hackers almost instantly set up web pages designed to be attractive to search engines covering that topic”, Cluley tells Infosecurity. “And if you go to those pages, you get hit by fake anti-virus software, or scareware.”

Websense’s Leonard reports that when Windows 7 was announced, there were instantly links interjected between real Microsoft sites in search results offering Windows 7 downloads, where the malicious sites unleashed rogue anti-virus.

“It’s a difficult one to approach in terms of how users can be protected from this because these sites are set up very quickly to react to any event or any topical news item that people are likely to search for.” Leonard says that users therefore need to have up-to-date security solutions in place.

He believes the hackers understand the algorithm of search engines in terms of SEOing and that these rogue websites are a problem that “won’t give way any time soon”.

Search engine Ask monitors internet protocols (IPs) for signs that a specific IP is hosting a spammer or hacker so that these can be shut down. Christine Vonderach, vice president UK product and technology at Ask, explains that the search engine uses filters to let people know about potentially harmful sites, and that in order to actually get to these sites, users have to click their way through Ask’s warnings.

She says that Ask does not want to provide users with sites that are not what they appear to be, and that “we look at removing parked domains on a periodic basis”.

Vonderach explains that new websites with instantly high visitor numbers set off alarm bells. “Something like that would probably be flagged by the system to be taken a look at by an editor to see if it’s a legitimate new launch of a site, or if it’s something that’s very opportunistic in terms of what they’re doing.”

Just like other search engines, Ask has crawlers constantly searching the internet for new and updated content, “and we have some proprietary software that helps us understand if something looks like it’s a suspicious site, says Vonderach.

These algorithms are constantly moderated and updated, Vonderach says, but adds that “nothing is 100% accurate”. Ask therefore uses multiple systems to look at threats from a different perspective to keep users as safe as possible.

Warning Signs

Cluley points out that hackers actually use search engines to find vulnerabilities in website code. “They have automated tools which look for vulnerabilities in web pages, and they can do that using a slightly more complicated search command in Google or Yahoo! to find vulnerable sites”, Cluley says. They simply search for a phrase or piece of code they know contains a vulnerability.

Many highly respected websites, including the American Embassy in St.Petersburg, have been hacked at one time or another and had malicious code put up on them. As Cluley says, “No one will criticize you for visiting any of those sites for information, the only thing you can do is rely on your anti-virus software being up to date.”

Google also identifies compromised websites as a great threat to users. Without even clicking on anything, users can be infected with malware that could steal passwords, personal information and/or make a user’s computer a zombie in a botnet, Ian Fette, product manager at Google, tells Infosecurity.

Google looks at websites and if it finds something that looks like it could be compromised by malware, the site is automatically loaded onto a virtual computer to see if it is harmful. If it is found to contain malware, a warning is posted on Google’s search result pages.

"There’s a lot of scanning to try and determine whether a web page is infected. Of course, a web page which isn’t infected now might be infected by the end of this sentence"
Graham Cluley, Sophos

“We also give that data to the browsers: Safari, Firefox and Google Chrome, so if you browse this website by typing in the address, or select one of your bookmarks, you will still be protected against this threat”, Fette asserts.

“I think that’s key, because often [the compromised sites are those] that people know, and are familiar with – be it a news site, banking site or a government site – sites that people trust and expect to be safe”, Fette says.
Google does not, however, scan websites for malware in real time, “but what happens is that whenever we discover a new page, that gets added into the index. It gets queued up in our malware pipeline so it will get scanned after a period of time, and then we’ll periodically rescan it”, Fette explains.

The Temporary Black List

Ask does not warn websites when they have been compromised. Vonderach tells Infosecurity that “there are hundreds of millions of websites, so we don’t reach out to any of them. We do have processes in place though if someone was to notify us that something is malicious or incorrectly categorized.”

Furthermore, if something is blocked, it is not blocked for life, she says.

Google takes another approach. Fette says, “We definitely understand that to be compromised is not a fun experience and horrible from a webmaster’s perspective.”

When Google identifies a website as compromised, it sends out emails to addresses found around the affected domain. If the site uses Google Webmaster Tools, they’ll also get a notification there. The Webmaster Tool has the ability to identify where on the website the malware is located.

Google automatically re-scans sites after a period of time, but this is not done every five minutes, Fette says. “We wait for the webmaster to notify us that they’ve cleaned up the site, and that will cause the site to be re-scanned much quicker so that we can remove it from the [black] list as soon as possible.”

Both search engines say they cooperate with the security industry in one way or another.

Ask, for example, works with the EU’s data security regulations. “We work with them to make sure that all our systems are compliant with storing personal data”, and that users have the ability to opt out of their data being collected, Vonderach says.

Fette assures that Google makes all of its data available. “We have something called the Safe Browsing API where anyone can go and download a copy of this list so they can use it either for security research or even provide us an insight to one of their products if they want us to help protect their users.”

Fette adds that Google works with domain registrars and a number of other organizations to help notify webmasters when a site has been compromised, assist security research and to help protect users through sharing information on potential threats.

Staying Secure Online

So what can users do to stay safe when using search engines?

Leonard says Websense has several security solutions to address this issue. One is a hosted solution that processes a user request for a URL, which is sent to Websense to be checked before being delivered to the user, or a message is sent out saying the content is not safe.

There is also a gateway solution where content is scanned in real time, something that is becoming increasingly important as dynamic websites are changing rapidly, especially where there is user-generated content.

Leonard adds: “If you get an offer or you think something is too good to be true, alarm bells should ring in your mind.”

Vonderach echoes Leonard, and adds that users should never follow links asking for any kind of personal data, and that software, browsers and security applications should be kept up to date.

Ask is also working together with other companies on giving users ‘safe’ search guidelines, especially aimed at younger users.

Fette agrees with the aforementioned, and adds that Google has a Google Online Security Blog to help both webmasters and users. “We did a series of events for the National Cyber Security Awareness Month in October in the United States. We do try to reach out and let users know what they can do to help keep themselves safe online”, Fette says.

Privacy Concerns

In terms of privacy concerns regarding what search engines store on users, Ask says its website is more or less anonymous, and that the few times user-specific data is collected, that data is anonymized. Users can also employ the ‘AskEraser’ feature to delete search cookies or opt not to store cookies from the site.

Google is well known for storing data on users, but Fette insists that the search engine has “very strict policies around who can access logged data”. Google also has a privacy team looking at privacy impacts and whether certain types of data should be logged at all.

“We realize that people place a lot of trust in Google, and if we ever violate that trust, that would be extremely bad for us. We take users’ privacy and security of their data extremely seriously”, Fette says.

“It’s one of the core principles here at Google that we can never violate the user’s trust.” Fette stresses that Google has many internal controls on both how data is protected from outside attack, but also on who can actually access user data internally.

The Direct Threat

Direct attacks against search engine systems are not as prevalent as attacks against users. Sophos’ Cluley says that there have been a few attempted denial of service (DoS) attacks and that a few years ago there were viruses using popular search engines to gather information, interrupting regular services.

“It’s quite hard to actually interfere with and bring down search engines these days because most of them have pretty good resources”, says Cluley. “An attack on a search engine isn’t actually in the interest of the typical financially motivated hacker, because they want to make money out of lots of victims – bringing down Google frankly does not help them”, Cluley asserts.

Both Ask and Google confirm this. Ask, like any technology company, has to protect itself against hacks against its internal system, says Vonderach.

“We do a lot of back-end security in terms of securing our internal systems from being hacked. We use SSL and VPN to authenticate users in any of our production environments around the world, so we have them blocked and locked down pretty tightly. Then on top of that we do monitoring of the site, so if for some reason there was somebody who could hack through that, we would be alerted immediately that something unusual or something bad was happening.”

Vonderach adds that securing Ask is not a one-time effort, but an ongoing project. “Once you’ve got one door shut, hackers and spammers are always looking for another, different door that opens.”

Google has also experienced attempted hacks and people trying to take down the service, “but we have a very sophisticated infrastructure to help protect against these threats, and we also have a very large infrastructure. So, for the most part, these attacks are never actually visible to end users”, says Fette.

He says that the previously mentioned SEOed malware or spamming sites are actually much more of a threat to Google. If a spammer site gets highly ranked, “it means our users are going to end up on a page that is perhaps not harmful to them, but is not going to give them the information they’re looking for. So we do view that as an attack against our service, someone trying to degrade the quality of our search result.”

In summary, Cluley says the biggest threat for search engine users at the moment is web-based malware with hackers using search engine optimization techniques.

Cluley says search engines, including Google and AOL, are working with the security industry through Stop Badware where search engines, Microsoft and computer security companies are sharing information on new malicious websites, viruses and trojans.

“There’s a lot of scanning to try and determine whether a web page is infected. Of course, a web page which isn’t infected now might be infected by the end of this sentence.” This is why users need to protect themselves instead of only relying on the search engines’ security measures. “You should be running anti-virus software, you should be up to date, you also need a good dollop of common sense.”

Google says phishing, malware-infested websites and spam sites are internet-wide problems affecting all search engines. “There’s certainly work to be done by webmasters, other search engines and browsers. We’re trying to do our part and give information to other people to help them do their part as well”, Fette says.

Ask’s Vonderach says its service “is a live and continuous system that is basically out there looking at the different sites. And things are changing. One of the challenges for a search is trying to keep up with how the web is growing and keep up with the new sites and the changing sites that are out there.”

Leonard at Websense notes: “As soon as there’s new technology, as soon as new features come along, new ways of working with the web will come along and these will be used by malware authors in due course when they see a benefit in doing that.”

“There’s always going to be something new that the malware authors will adapt to”, he concludes.


For More Information (Stop Badware) (AskEraser)


What’s hot on Infosecurity Magazine?