By Andrew Brandt
It’s been a few months since Google implemented new ways that it displays search results, and in that time, it’s been difficult to find the kinds of hijacked search results we saw in huge numbers a year ago. But if you thought the search engine manipulators were laying down on the job, you’d be wrong.
A new campaign seems to have hijacked Google search terms of not just products or words, but of people’s names, towns, and phrases in both English and Spanish to lure victims into a trap. One of our Threat Research analysts stumbled upon the new scheme while searching for information about a friend. We were surprised to find that the top four results of that search led directly to that dreaded Sarlaac Pit of malware, the rogue antivirus fakealert.
At first, visiting the four top links in our searches led to the same fakealert. After an hour passed, however, the pages started to shake things up, leading to fakealerts that mix up their appearance. One screen displays something that looks like an alert from the Windows Security Center in Windows Vista; Another generates a dialog that looks like the Security Center alert from Windows 7. Still others take on the now-classic faux-Windows Defender appearance.
The poisoned results use a familiar tactic to embed themselves into the Google search engine, and capably trick Google into thinking the pages are benign. If you take a closer look at the cached versions of the pages Google displays as results, it’s easy to see why the search engine isn’t able to discern the motives of the black hat SEO puppet masters: They just look like gigantic lists of search terms and keywords.
Occasionally, one or more terms is hotlinked to another site which features more gigantic lists of search terms and keywords. These crosslinks train Google to consider these pages highly relevant to queries.
Unfortunately, when you click the link itself in the search results, you get a whole different experience. Something on the server’s end is looking at the Referrer link — the URL a browser sends to a Web server which tells that server what page the browser came from. If the Referrer includes “Google,” the page immediately redirects the browser to another server that delivers the fakealert dog-and-pony show, and then in short order the malicious installer.
If it doesn’t — for example, if you click one of these links inside one of these pagaes full of search queries, or if you attempt to navigate to the page manually — you just end up on another page full of search terms and queries.
The fakealert page itself, hosted on yet another server that rotates rapidly through a pool of malicious domains, is entirely embedded in a giant chunk of Base64-encoded data within the HTML code of the fakealert site’s index.html page.
Because the fakealert isn’t rendered until the browser loads the page, it’s difficult to seek out the malicious pages. Base64 encoding isn’t an automatic red flag, and isn’t really a very good heuristic metric to determine whether a page is up to no good.
These poisoned results appear to be permeating search results rapidly, and seem to redirect to dozens of different malicious Web sites, seemingly at random. But there are a few ways to keep yourself safe.
Scrutinize the text of the results; If they seem to be just a list of keywords, rather than a page about the search subject, skip that result. You can also safely click the Cached link that appears below each search result: If the cached result is just a page full of search terms, you know you’ve found a poisoned result. And our free Prevx CSI cloud detection product is identifying most of the installers as soon as we download them.