Web Security: Be Careful Clicking on the Google Doodle

Version imprimable, PDF et e-mail

Posted by: Barracuda Labs

It’s been widely reported that Google sponsored links are being used for malicious purposes. Once again, Google is an easy target and consumers are vulnerable. Rogue AV continues to be a big business, and the criminals are taking advantage of the more popular (and trafficked) areas to spread their wares.

Today, December 15, 2009, is the 150th birthday of LL Zamenhof, the inventor of Esperanto (an international auxiliary language).

Google celebrated by decorating its logo with the flag of Esperanto, turning it into what is called a Google Doodle (Google often uses its logo to celebrate various historical events etc http://www.google.com/logos/).

Clicking on the Google Doodle performs a search for the term “LL Zamenhof” – making it remain steady in the top 5-10 most popular searches of the day. Malware distributors have recognized this significant opportunity to concentrate their poisoning efforts on popular search terms. This is just another egregious act of criminals using these Google popular search terms – and SEO poisoning – as vehicles to carry out their malicious intent.

On page one of the search results, one of the examples falls under the domain rubbermouse.com —- The poisoned results point to legitimate domains that have been compromised. This leverages the site’s already good Google reputation so that the results do not appear with a Google safesearch alert. This is becoming increasingly more common for almost any popular search term.

Once the user clicks on the link, he/she is then re-directed to a Rogue AV site (hxxp://antyspywaretoday.net….). On this page, the user is given a warning that the computer might be infected, a fake scan ensues, then the user is prompted to purchase the AV software — regardless if the user clicks on the “OK” or not.

How prevalent is this? First 100 results, there are 31 poisoned sites. Even better, first 50 results, there are 27 poisoned sites. These criminals get search engine optimization – and are good at it!

The sites are hard to identify – and hard to remove – since they are designed to re-direct to multiple sites (some with malicious intent such as selling Rogue AV, and some offering up nothing more than a waste of time via a fake search site). Regardless, these rogue orphan pages exist and are under the control of those who can, with the push of a button, offer up dangerous exploits to attack users, steal information, and damage corporate networks.

What’s most concerning about this – Google is posting its Doodle, inviting users to click (out of their own curiosity, they will), and then serving up more than half of the results as malicious. What does that say about the current state of search and SEO?


Remonter en haut de page