Attackers choose a popular search term according to Google Trends -- which is regularly updated with the top 100 most searched items -- and then find a website that already is highly ranked for that particular term. Then, the crooks build a malicious site that contains the same content as the legitimate site, enabling these malicious creations to rise to the top of the search rankings.
Recently, results were poisoned for popular searches such as Ash Wednesday, Obama's address to Congress and the Gmail outage. The malicious links deliver users to a website where they are served a trojan called FakeAlert. The site pretends to scan a user's system, then pop-up messages tell the user he or she has been infected and should download software -- for a fee -- to have those threats removed.
“I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages,” Schmugar wrote on a McAfee Avert Labs blog post Thursday.
Schmugar started noticing this last week and said it seems to be as effective or getting stronger since then. By poisoning the most popular search terms, attackers are able to reach a broad audience, and the tactic is effective because users often trust top-rated search results, Schmugar said.
In response to this trend, a Google spokesman told SCMagazineUS.com that the company actively works to detect and remove sites from its index that serve malware. Google has manual and automated processes to remove the bad sites, he said.
“We'll continue to monitor for these bad results and will remove any as necessary," the Google spokesman said. "Additionally, we're always exploring new ways to identify and eliminate malicious sites from our index.”
Google ranks sites based on how many times it is linked to from somewhere else.
Typically, attackers use botnets they control to inject links to their malicious webpages into millions of sites that have a high reputation, thus bringing up the malicious pages in Google's search rankings, Stephan Chenette, manager of security research at Websense Security Labs, told SCMagazineUS.com Wednesday.
“Hackers are very well aware of how to control search engine rankings and have been doing this for a few years,” Chenette said.