The use of search engines to deliver malware is well known. Previously we reported that attackers were using Google-sponsored search results to promote malicious websites. Instead of using techniques such as search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers recently managed to compromise well known site autonagar.com, which is promoted by Google’s sponsored links. Interestingly, up until late last week, autonagar.com was hosting malicious exploits and was blacklisted by Google SafeBrowse. However, at the time of posting this blog the malicious code has been removed from autonagar.com and Google is no longer blocking it.
In this specific example, users who rely on Google’s sponsored links run the risk of their computers being infected. For example, when a user searches for “sell car online” or “buy bike,” Google-sponsored links might display one particular download link for AutoNagar.com. Such high-profile websites that have been compromised can be used to launch drive-by download attacks. The following is a screenshot of the Google-sponsored links. The compromised site is circled:
Users should be aware that results for keywords returned by search engines can be manipulated. As always, we encourage users not to click on hyperlinks blindly. Products such as NortonSafeWeb or MyWot should be used to verify links before clicking on them. Symantec customers are protected from this attack with the latest IPS and antivirus.