Vulnerabilities / Threats
09:48 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Most Dangerous Holiday Web Search Terms Of 2012

Blue Coat's Malware Research Team recently noticed a huge spike in holiday themed Search Engine Poisoning attacks and published the results of their findings

December 10, 2012 - By Chris Larsen

I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week.

Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...


This time around, I followed the "high volume" approach I used in the SEP research on the Olympic gamesearlier this year, rather than the more labor-intensive approach used a year ago in the seven-part series from the RSA presentation.

One item in particular I wanted to look at was the question of overall SEP volume. As our customer base has grown, there should be some natural growth in the overall SEP traffic, but there is another recent factor: our work identifying "spamnets". Since Tim's tool for tracking SEP attacks is based on our malnet research, logically we should see more SEP attacks, as the number of malnets (and spamnets) that we track goes up.

On to the data...

For this research, I pulled Tim's SEP logs from 11/21 to 11/30. In those 10 days, we saw 13,616 "successful" SEP attacks. (Recall that this simply means one of our users somewhere: (1) searched for something; (2) got a bad link high enough in the returned search results that they actually saw it; (3) thought it looked like a reasonable result; and (4) clicked it. At which point WebPulse blocked it, which means it wasn't actually "successful", but that's due to us, not the Bad Guys' faulty preparations...)

13,616 different clicks / 10 days is pretty easy math: an average of 1361.6 different SEP clicks/day.

For comparison, I went back to the Olympics research set, which had a total of 28,277 different SEP clicks / 39 days, or about 725 per day.

That's an increase of over 80% -- far too much to be explained by the increase in customer base. I also doubt that the SEP gangs have suddenly become a lot more efficient. That leaves me with only one ready explanation: the large number of spamnets (and new malnets) we've been steadily uncovering, because I know that has jumped.

Anyway, here are the search terms I looked for in the dataset, and the number of unique search terms that matched. It's a total of 505 different holiday-related search terms; out of 13,616, it works out to about 3.7% of the SEP attack traffic.

Some Examples:

It's also interesting to look at some examples, to see if there are some specific things to warn people about. Here is a representative set of Christmas-themed searches that led people into danger:

preschool christmas bulletin boards crafts for christmas repurpose old christmas cards christmas office party games christmas scavenger list for adults ideas for christmas gifts in mason jars free printable christmas word scramble ugly christmas sweater party invitation wording christmas weight loss team names

Nothing really jumps out. But how about this set:

christmas door decorating ideas christmas door decorating contest winners christmas coordinate plane graphs

Together with the "preschool bulletin board" example, it shows that many of the would-have-been victims were school teachers searching for holiday activities. (There were a bunch of additional "Christmas door" examples in the logs, by the way. And for the benefit of our readers who live outside of the U.S., it is a very common tradition in American schools for teachers to decorate their classroom door for upcoming holidays, and this can get pretty competitive at times, as the teachers vie for fame and glory within their school for having the best-looking door.)

Non-holiday SEP Examples

If holiday-themed searches weren't dominating the SEP attacks, did anything else jump out at me?

Not really. In skimming through the logs, I easily found examples from many of the categories that showed up in last year's more detailed research:

Sample Letters: sample eagle scout letter of recommendation sample personal statement nurse practitioner program QA manager resume samples free download

Kids trying to get around the school web filter: proxy to get on facebook at school age of war 2 unblocked at school

Minor celebrity searches:(since major celebs have so much competition): heather nauert swimsuit (I had to look her up: she's apparently a Fox News reporter)

Health/Medical info: conversion from nitroglycerin ointment to patch left sided back pain worse at night

And one that I didn't highlight a year ago, so I suppose if there was something interesting that popped up, it would be this next category...

Year-end Performance Reviews: employee year end performance self assessment examples promotion announcement to all employees answers to commanders safety course ver 3.1 performance appraisal phrases

But, in general, I suspect that last year's estimate of around 40% of SEP attacks targeting Miscellaneous categories still holds pretty true. They are all over the map...

Closing Thought

I suppose it's bad enough that the cybercriminals are targeting holidays with their junk at all, but as I was looking through the logs for the "gift" searches, I came across a couple of examples that I wanted to highlight:

anniversary gifts for troubled marriages romantic homemade gifts for girlfriend

And these made me realize why I really don't like the Bad Guys. Here were innocent people who were trying to do something really meaningful for someone they loved, and the stinkin' SEP gangs were trying to ambush them with scams or malware.



P.S. On a lighter note, I think a special award for "Most Interesting Gift Search Leading to SEP" needs to go the guy who thought that the perfect gift for his wife/girlfriend was a "pink camo stock for remington 870". (If he was the same guy who searched for "antlers for sale on ebay", she's going to be in for a big surprise on Christmas morning...)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Published: 2014-10-22
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-22
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.