Feeds

Hackers find clever new way to hose Google users

IFRAME piggybacking

The Essential Guide to IT Transformation

Updated Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties.

As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware.

The hack, which was first documented Wednesday by Netherlands-based researcher Dancho Danchev, takes advantage of the practice by many sites of logging search queries typed into their search boxes and storing them where search engine bots can see them. The terms are then indexed by Google and other search engines and included in the results they return. Exploiting the weakness is as easy as typing popular search terms into a popular website along with the text of an IFRAME that points to a malicious website. Within time, the strings will be included in results returned by Google and others.

Google goes to great lengths to protect users against by warning when a website included in search results is believed to be malicious. But at time of writing, queries on Google for "jamie presley," "mari misato" and "risa coda" got one or more poisoned link in the first 10 results. Almost 52,000 Google results contained such redirects for ZDNet Asia, according to this update Danchev made on Thursday. There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com, Danchev said.

"The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible," he added."

In the second half of 2007, 51 per cent of sites hosting malware were legitimate destinations that had been compromised, as opposed to sites specifically set up by criminals, according to security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised, although the criminals were clearly taking advantage of their strong page ranking and the trust that many end users have in them.

The injected IFRAME redirects unwitting users to sites associated with the Russian Business Network, F-Secure says. The sites try to install malicious programs with names including XP Antivirus 2008 and Spy Shredder Scanner.

The attackers are also notable for the care they've taken to cover their tracks. The malicious sites will only attack users who click on the link as it's returned from Google or another major search engine. Client-side honeypots or security researchers who merely type the address into a browser will receive an error message indicating the site is unavailable. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.