Search Engine Malware – The Same Old, Same Old

In the News within the past 3 days

Web security firm Armorize – over 6 million e-commerce web pages have been compromised in order to serve malware to users.

Ed Bott Report – criminal gangs that specialize in malware love search engines, because they represent an ideal vector for getting Windows users to click on links that lead to potentially dangerous Trojans. The latest attack targets ads, and the social engineering is frighteningly good.

Not in the News

The specifics may be news but, this particular malware attack vector is so old I’m surprised that more Internet users aren’t aware of it. No, I take that back – based on a conversation I had just last night.

Me: “So, what antimalware applications are you currently running?”

She: “Well, I can cut and paste and I can get on the Internet, but I don’t worry about all that other stuff. I don’t understand it anyway.”

I’m well past the point where I allow myself to show surprise when I hear this type of response – it’s just so typical. Given that level of knowledge, it’s hardly surprising then, that consumer confidence in the reliability of search engine results, including relevant ads, is taken for granted.

I’ve yet to meet a typical user who would consider questioning a search engine’s output as to its relevant safety.  It’s been my experience, that typical Internet users blindly assume all search engine results are malware free.

This, despite the reality that the manipulation of search engine results, exploiting legitimate pages, and the seeding of malicious websites among the top results returned by search engines in order to infect users with malware, is a continuing threat to system security.

Here’s how the cyber crooks do it:

When a potential victim visits one of these infected sites the likelihood of the downloading of malicious code onto the computer by exploiting existing vulnerabilities is high.

Let’s take, as an example, a typical user running a search for “great vacation spots” on one of the popular search engines.

Unknown to the user, the search engine returns a malicious or compromised web page as one of the most popular sites. Users with less than complete Internet security who visit this page will have an extremely high chance of becoming infected.

There are a number of ways that this can occur. Cyber-crooks can exploit vulnerabilities on the server hosting the web page to insert an iFrame, (an HTML element which makes it possible to embed another HTML document inside the main document). The iFrame can then activate the download of malicious code by exploiting additional vulnerabilities on the visiting machine.

Alternatively, a new web page can be built, with iFrames inserted, that can lead to malware downloads. This new web page appears to be legitimate. In the example mentioned earlier, the web page would appear to be a typical page offering great vacation spots.

Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

Install an Internet Browser add-on such as WOT (my personal favorite), which provides detailed test results on a site’s safety; protecting you from security threats including spyware, adware, spam, viruses, browser exploits, and online scams

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus and anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all e-mail attachments

Be proactive when it comes to your computer’s security; make sure you have adequate software based protection to reduce the chances that your machine will become infected.

The following comment (posted here March 15, 2011), illustrates perfectly the issues discussed in this article.

Funny you write about this today. I was reading about the spider issue Mazda was having and wanted to know what the spider looked like so I Googled it, went to images and there it was. There was also a US map that had areas highlighted, assuming where the spiders exist, and before I clicked on the map I made sure there was the green “O” for WOT for security reasons.

I clicked on the map and BAM I was redirected instantly and hit w/ the “You have a virus” scan malware. I turned off my modem then shut my computer off. I restarted it and scanned my computer w/ MS Security Essentials and Super Anti Spyware. MS Essentials found Exploit:Java/CVE-2010-0094.AF, and Trojan:Java/Mesdeh and removed them. I use WOT all the time, but now I’m going to be super cautious.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under Application Vulnerabilities, Browser add-ons, Cyber Crime, Cyber Criminals, Don't Get Scammed, Don't Get Hacked, downloads, Interconnectivity, Internet Safety, Internet Security Alerts, Malware Protection, Online Safety, Search Engines, Software, trojans, Windows Tips and Tools

6 responses to “Search Engine Malware – The Same Old, Same Old

  1. kenneth lunkins

    i articile i like mainly because you explained it it simple terms

    • Hi Kenneth,

      Thanks for that.

      Securing an Internet computer, and learning a few simple safety rules, is not complicated. It just takes a little time and practice.


  2. Mal

    Hey Bill,
    If I had a dollar for every conversation like the one you had, I would be rich. Like you, I am not surprised and I don’t even bother trying to convince the person/s otherwise. Some, like your friend, claim ignorance, whilst others think they know everything about security but in reality know bugger all.
    WOT is a great addon. Recently, I updated a favourite antimalware app of mine, and out of curiosity, was checking out the digital signatures of this app. I was surprised to find that some elements of the program had a different name for digital signatures. Looking up the site on Google, WOT gave it an orange rating, meaning unsatisfactory. I was surprised, and unhappy, about this. The app has now been, reluctantly, uninstalled.
    I could send you an email with further details, if you would like more info.

    • Hey Mal,

      I hear ya – they don’t know what they don’t know – to an extreme.

      Yeah, I’d be very interested in hearing about that app with the convoluted sigs. Let me know when you have a chance.



  3. Jose

    Great article Bill.

    One cannot bang the message to often, even if they won’t listen.

    A month ago my sister brought her laptop to me because it was limp.
    I did a basic test: Google for “free antivirus” to check for redirections. There were none; the pages simply didn’t open.
    Then I tried to update MBAM (which I had installed); no connection allowed.
    Then I tried to run Hitmanpro (which I had installed); it wouldn’t run.
    Safe mode: no Sir.
    So, I explained to her what a rootkit was and that she should reinstall the OS to be sure. She said “yes, of course”.

    A week ago I asked her “how’s your machine?”.
    “Well”, she said, “it’s still very slow but it works”.
    “But did you reinstall the OS?” I asked.
    “Oh, no” she answers, “but a friend of mine told me that if you have a dual core CPU you have to turn on the second core. Did you know that?”.

    No comments, no subtitles.