Cyberattackers have hijacked thousands of search terms on Google, leading end-users to unexpected malware installations.

Although hijacked search terms are common, the sheer size of this operation – including tens of thousands of pages created to obtain high search-engine ranking – is unprecedented, according to researchers from Sunbelt Software.

“Just about any search term you can think of can be found in these pages,” Adam Thomas, Sunbelt researcher, said Tuesday on the company's blog. “For months now, our research team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forums. This network, combined with thousands of pages, have given the attackers very good, if not top, search engine position for various search terms.”

One click on a malicious link can infect unpatched PCs with malware used to generate income for the attacker in a pay-per-click affiliate program or load other malware, according to Sunbelt.

Fully patched PCs were asked to download a fake ActiveX upgrade, which resulted in an unwanted Internet Explorer toolbar and pop-up advertisements.

The malicious search results, removed quickly by Google, do not appear when using “inurl” and “site” in search terms, according to Alex Eckelberry, Sunbelt president and CEO, who added that the search-engine optimization poisoning directly targeted Google and ignored other search engines.

Eckelberry said that Sunbelt researchers found malicious links leading to 27 domains, with 1,499 pages and a “staggering amount” of keywords.

“The attack was very clever and it was a lightning-fast attack on Google. I suspect the majority of these domains were registered on Nov. 24 or 25,” he said. “Setting up a webpage doesn't take a lot of time at all, but getting them to the top search results takes some time, and these search terms are all over the place.”

Malicious site terms range from information on the cotton gin's influence on slavery, to teaching a cat to fetch, to Wi-Fi equipment.

Roger Thompson, chief technology officer at Exploit Prevention Labs, told today that the malicious terms had obtained prominent search results and employed Domain Name System-changer (DNS).

“I think that it's affected so many of them, and it's been increasing for a while,” he said. “Another thing that's interesting is that many of these links are DNS changers.”

Trend Micro
researcher Ivan Macalintal said Tuesday on a company blog that holiday-related terms, such as “Christmas gift shopping,” “Christmas holiday sale,” and “holiday shopping fun,” were seen redirecting users to malware downloads.

“It's also that time of year when cyberhooligans compromise innocent web searches, such as the simple phrase, ‘Christmas gift shopping,' to serve up malicious URLs via search results,” he said.