Incident Response, Malware, TDR, Vulnerability Management

Serena Williams meltdown is latest poisoned search attack

Video of tennis star Serena Williams imploding Saturday in the U.S. Open women's semifinals is just the latest search term to be poisoned by attackers wanting to infect users with rogue anti-virus software, researchers said Monday.

Cybercriminals are attempting serve up malware when users search for such terms as "Serena Williams Outburst," according to Symantec. At least one of the sites being used to distribute malware was hacked to redirect users to a separate site that falsely warns users that their PCs are infected. Victims then are offered another download, which claims to fix the problem, but is actually a "scareware" trojan.

Craig Schmugar, senior threat researcher at McAfee, said search engine compromise is a common theme, as attackers have gotten more skilled at quickly creating domains that leverage popular terms, while Google has gotten faster at indexing pages.

The malware writers tap into Google Trends, which lists the day's 100 most popular search terms, to determine which they want to poison, Schmugar told Typically they choose terms that are more specific, but they don't discriminate against particular themes.

"This is more of a generic and general problem," he said. "More often that not, they're trying to capitalize any way they can."

Typically, the attackers create domains based on the popular search term and then automatically load links to the URLs on legitimate sites, such as in blog comment forms, Schmugar said. Then, they wait for Google's crawler, known as Googlebot, to discover the domains.

The goal is to trick the crawler into listing the malicious sites near the top of the search results for a given term, he said. Usually they don't stay up for long.

"If they can poison a search term for 12 hours, that will probably serve their purpose," Schmugar said.

A Google spokesperson said the company does not tolerate the poisoning of search results.

"We work hard to protect our users from malware," the spokesperson said Monday in an email statement. "Using any Google product to serve or host malware is a violation of our product policies. In all cases, we actively work to detect and remove sites that serve malware from our search index and our ad network, and we immediately suspend accounts found to contain ads pointing to sites that install malware. To do this, we have manual and automated processes in place to enforce our policies."

The representative added that the problem affects all search engines, not just Google. He said the search giant also will remove sites from its index that violate master guidelines, such as writing text in a way that is only visible to search engines or creating pages whose sole intent is to dupe the crawler.

Schmugar said Google regularly updates its search algorithm in hopes of weeding out corrupted search results.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.