Poisoning the search engine well

Cyber criminals are tainting search engines optimisation by using botnets to distort the 'best result' of a search, leading users to false, malware ridded links.

Last year was the year of the malware network. These complex, shifting infrastructures last beyond any one attack and allow cybercriminals to rapidly adapt to new vulnerabilities and repeatedly launch new attacks on corporate networks. Malware networks, or “malnets”, go to where the action is – popular destinations such as search engines and social networking and with the malnet infrastructure already in place, cybercriminals can infect multiple users with minimal effort. Consider this – two-thirds of all cyber attacks in 2012 will be launched via malnets. 

Businesses call it “search engine optimisation”, though cybercriminals utilising the same process call it “search engine poisoning”. In 2011, search engine poisoning (SEP) became the leading attack method for web-based threats. Considering that search engines/portals are now the most requested category of content on the internet, it is no surprise that SEP is now the leading entry point into malnets. Malnet operators, with a well-built infrastructure already in place, can conduct SEP attacks on a 24 hours a day, seven days a week basis. When you consider that millions of people search for information every day, an attack only needs to divert a small percentage of that traffic in order to be successful.  

In SEP attacks, malnet operators make constant adjustments to the bait content they feed to search engines. They don’t necessarily only focus on big news events, but rather spread their nets as wide as possible to achieve the best chance of infecting a user’s network. SEP is often successful as users tend to be in “explore” mode when using search engines, and are thus more likely to click on links from unknown sources. Users are also mostly unaware of the threats that can come from search engine results – there is a certain level of trust involved when searching for information. It is this inherent user trust that cybercriminals exploit. To take advantage of search engines, cybercriminals only need to ensure that their sites rank high enough in the search results page by providing relevant keyword content. In doing so, they can exploit the very algorithms that search engines rely on to deliver meaningful results to users, to ensure that their malicious content is delivered as well.

However, despite conventional thinking, breaking news, celebrity news and big events tend to generate far less poisoned content than miscellaneous topical and subject searches. Potential victims tend to be shielded from SEP links due to the sheer volume of legitimate sites with actual content generated in the event of a big breaking story. This does not automatically mean that users are “safe” in this instance, as cybercriminals do try to exploit big news events, but their chance of clicking on a poisoned link is reduced at the least, due to the high concentration and availability of legitimate search options.

In 2011, topical bait included the earthquake and tsunami disaster in Japan, the royal wedding of Prince William and Kate Middleton and the deaths of Osama Bin Laden, Amy Winehouse and Steve Jobs. It is a tried-and-true tactic of cybercriminals to target death and drama, and 2012 events such as the London Olympics and the US presidential election are likely to serve as the wiggling worm on the hook in future.

Our Blue Coat Security Labs found that the demand for search engines/portals grew by more than 2% from 2010 to 2011, and this trend is likely to continue in 2012, creating a significant risk for businesses. User education can help reduce the risk – training users to conduct “Who Is” searches and how to spot a suspicious URL can assist in determining whether a website is genuine. However, while user education can help mitigate the risks, it is not enough, particularly since it isn’t a scalable solution. It is vital that businesses supplement user education with a web security solution that is capable of analysing links in real time to determine whether they are being funnelled into a malnet.

Cybercriminals are always looking for new ways to exploit users and infect networks in order to gain access to critical user information and business data. They are quick to adapt to new trends and technologies and have vast existing networks and infrastructure with tentacles spanning the globe. Businesses need to be aware of cyber risks and malicious threats, and thus be able to implement appropriate web security measures to prevent potential poisoning in the future.

Bruce Bennie is the managing director Blue Coat Australia and New Zealand

Related Articles