Google is presenting a paper tomorrow (Tuesday, April 27) regarding websites that offer fake antivirus software. Part of Google’s research shows that search engine results can lead to such pages. The presentation demonstrates that Google is working hard at preventing these search poisoning attempts.
Our data likewise shows that poisoning search engine results with links to fake antivirus software is an effective way for attackers to infect users’ machines. As such, we constantly track search results for malicious links. In previous blogs we’ve discussed how attackers are able to poison results; we continue to see search engine result poisoning as a primary vector of infection, especially for fake security products.
We watch search results constantly via an automated system, but given the large amounts of data we only capture complete sets of data on an hourly basis. We’ve gone back to analyze the last couple of weeks’ worth of data to provide a glimpse into the current effectiveness of search engine result poisoning. In particular, we generated statistics on the top search trends every hour and determined how many were malicious (within the first 70 Google search results).
The data below is specific to Google search results between March 30, 2010, and April 18, 2010. We have found that data sets for other search engines are less interesting and search engine poisoning less prevalent. Hackers clearly have a vested interest in ensuring their attacks are effective in poisoning Google results, most likely because of its large market share—Google’s breadth and speed of indexing will also play a role.
• On average at any given hour, 3 out of the top 10 search trends contained at least one malicious URL within the first 70 results.
• On average, 15 links out of the first 70 results were malicious for search terms that were found to be poisoned (had at least one malicious URL).
• On average on any given day, 7.3% of links are malicious in the top 70 results for top search terms.
• The most poisoned search term resulted in 68% of links leading to malicious pages in the first 70 results
• Almost all of the malicious URLs redirect to a fake antivirus page.
The following graph shows the total number of malicious URLs (red) found in a given day versus total URLs checked (the top 70 results for the top 10 search terms each hour):
For this time period, April 3, 2010, had the highest percentage of malicious links returned in search results. Looking at April 3, 2010, on an hourly basis, we can see that the number of malicious URLs returned for the top 10 search trends each hour can change dramatically. Typically, this is a function of the particular trends during that hour:
The most malicious trend that day was “Roy Jones jr vs Bernard Hopkins,” in which at one point 68% of the URLs in the first 70 results were actually malicious.
While attackers are sometimes more successful in poisoning certain search terms, this is primarily due to luck. They use an automated system to determine which terms to poison. To give an example of the types of terms that resulted in poisoned results, here are the top 10 malicious search terms for April 3, 2010:
Often, the top search trends change quickly; likewise, which terms are poisoned also changes. Here are the top 10 search terms on April 3, 2010, that stayed active (had at least one malicious URL) for the longest time.
These days, the attackers continue to be effective at poisoning search results. They have an automated infrastructure that is able to automatically collect the latest, most popular search trends and poison the results. So, be careful when clicking on search result links, especially when searching for hot search topics. Also, follow our Twitter feed where we post the latest, dirtiest search terms.