Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Google image search poisoning added to cybercriminal's arsenal

According to Bojan Zdrnja, a security researcher with the Internet Storm Centre, whilst Google has been doing a good job in weeding out image search links that lead to infected images, many are now starting to get through to end users.

The process of infection, he says, is relatively simple and involves the hackers compromising a legitimate site - usually by attacking a Wordpress installation.

"Once the source (legitimate) web sites have been exploited, the attackers plant their PHP scripts", he says, adding that these vary from simple to very advanced scripts which can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested.

"If you ever wondered how they had those web sites about Bin Laden up so quickly, it is because they automatically monitor the latest query trends and generate web pages with artificial content", he explains in his latest security blog.

These sites, he says, contain text and images scooped up from various web sites, and then embed malicious links to pictures which are related to the topic, meaning the automatically generated web page contains real looking content.

Then, as Google spiders the web, the hacker scripts "see" the Google bots from their IP address and deliver specially generated content.

Because Google auto-parses the links to images and, if appropriate, populate the image search database, when a user searches via the Google image search function, what looks like conventional thumbnails of pictures are displayed.

But when the user clicks on the thumbnail, the exploit triggers and the script routes the user to an infected pages.

"As we can see, the whole story behind this is relatively simple (for the attackers)," he says, adding that the best protection is to install a Firefox addon like Noscript.

This won't stop the problem, Infosecurity notes, as that it is really in Google's ballpark, but it will stop the malware script from executing in an effective manner.

What’s Hot on Infosecurity Magazine?