Hackers are employing a new and sophisticated strategy that attempts to lure victims to their malware-infested websites by capitalizing on users' inherent trust in internet search engine results.

The technique, which involves fooling search engine algorithms – usually Google's – to achieve better rankings, has been going on for at least two years. But only in the past few months has this “Google poisoning” reached worrisome heights, experts say.

The ploy could wind up being much more effective at spreading malicious code than traditional phishing, predicts Dan Hubbard, VP of security research at San Diego-based Websense. “People are a lot more likely to click on a search result in the top 10 rather than on a link in an email,” he says.

Crafty cybercrooks are leveraging the latest automation tools to build websites filled with hundreds of megabytes of commonly used search terms. As an example, in a post-Thanksgiving attack last year, vandals loaded popular holiday gift search ideas into tens of thousands of malware-serving sites.
“They put these thousands of search terms [into a site], and Google indexes them and creates combinations of them,” says Roger Thompson, chief researcher officer at Orlando, Fla.-based Grisoft. “And then, after they've left the site up for two weeks, they swap it out for a redirect to an exploit site.”

To further boost rankings, attackers employ botnets to either leave comment spam links and other keywords onto blogs or to directly click on malicious websites, researchers say.

In some cases, users who click on a poisoned search result will automatically be infected; other times, they will be prompted to install additional software, such as a codec, Hubbard says. Patching and up-to-date anti-virus helps, but not always, he says.

Google is normally quick to act – but only when it finds out about a new barrage. “[Google] knows how to block [hackers],” says Tom Mercado, who runs TeMerc Internet Countermeasures, an advisory website. “That's a big thing, to have your search engine results tampered with.”

Even more is to come. Hubbard expects attackers to try to predict future events, such as Olympics results, so their rogue sites are immediately well ranked. “It's all about timing,” he says. — DK