June 08, 2011

Search Engine Poisoning: On The Rise

Today, Imperva released a report on search engine poisoning.    Search Engine Poisoning attacks manipulate, or “poison”, search engines to display search results that contain references to malware-delivering websites. There are a multitude of methods to perform SEP: taking control of popular websites; using the search engines’ “sponsored” links to reference malicious sites; and injecting HTML code. Here’s a graphic and a video explaining how it works:

SEP Infographic

How has hacker interest in SEP grown?  This is very difficult to gauge and formal statistics do not exist quantifying the problem.  However, as the recent Bin Laden death reminds us, hackers leverage current events as they happen to dupe search engine users.  The first description of the attack by researchers was in March 2008, by Dancho Danchev. One metric that helps understand the growth of this problem?  Look at hacker forum discussions.  For example, one major hacker forum saw a dramatic increase in discussions regarding search engine poisoning with XSS:  

Year over year growth of SEP discussions in hacker forums:  Percent growth

2008 - 2009     212%
2009 - 2010     121%

Year over year growth of SEP discussions in hacker forums:  Raw numbers

2009     169
2010     374

How does Imperva detect SEP?  Our probes were able to detect and track a SEP attack campaign from start to end.  The prevalence and longevity of this attack indicates not only how long it lasted undetected, but also that companies are not aware they are being used as a conduit of an attack. It also highlights that search engines should do more to improve their ability to accurately identify potentially harmful sites and warn users about them.

The attack method we monitored returned search results containing references to sites infected with Cross Site Scripting (XSS). The infected Web pages then redirect unsuspecting users to malicious sites where their computers become infected with malware. This technique is particularly effective as the criminal doesn’t take over, or break into, any of the servers involved to carry out the attack. Instead he finds vulnerable sites, injects his code, and leaves it up to the search engine to spread his malware.

The prevalence of this attack has ramifications for search engines, especially Google.  Current solutions which warn the user of malicious sites lack accuracy and precision whereas many malicious sites continue to be returned un-flagged. However, these solutions can be enhanced by studying the footprints of a SEP via XSS. This allows a more accurate, and timely notification, as well as prudent indexing.  We hope Google and Yahoo! step up.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.