Most Dangerous Holiday Web Search Terms Of 2012Blue Coat's Malware Research Team recently noticed a huge spike in holiday themed Search Engine Poisoning attacks and published the results of their findings
December 10, 2012 - By Chris Larsen
I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week.
Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...
This time around, I followed the "high volume" approach I used in the SEP research on the Olympic gamesearlier this year, rather than the more labor-intensive approach used a year ago in the seven-part series from the RSA presentation.
One item in particular I wanted to look at was the question of overall SEP volume. As our customer base has grown, there should be some natural growth in the overall SEP traffic, but there is another recent factor: our work identifying "spamnets". Since Tim's tool for tracking SEP attacks is based on our malnet research, logically we should see more SEP attacks, as the number of malnets (and spamnets) that we track goes up.
On to the data...
For this research, I pulled Tim's SEP logs from 11/21 to 11/30. In those 10 days, we saw 13,616 "successful" SEP attacks. (Recall that this simply means one of our users somewhere: (1) searched for something; (2) got a bad link high enough in the returned search results that they actually saw it; (3) thought it looked like a reasonable result; and (4) clicked it. At which point WebPulse blocked it, which means it wasn't actually "successful", but that's due to us, not the Bad Guys' faulty preparations...)
13,616 different clicks / 10 days is pretty easy math: an average of 1361.6 different SEP clicks/day.
For comparison, I went back to the Olympics research set, which had a total of 28,277 different SEP clicks / 39 days, or about 725 per day.
That's an increase of over 80% -- far too much to be explained by the increase in customer base. I also doubt that the SEP gangs have suddenly become a lot more efficient. That leaves me with only one ready explanation: the large number of spamnets (and new malnets) we've been steadily uncovering, because I know that has jumped.
Anyway, here are the search terms I looked for in the dataset, and the number of unique search terms that matched. It's a total of 505 different holiday-related search terms; out of 13,616, it works out to about 3.7% of the SEP attack traffic.
It's also interesting to look at some examples, to see if there are some specific things to warn people about. Here is a representative set of Christmas-themed searches that led people into danger:
preschool christmas bulletin boards
crafts for christmas
repurpose old christmas cards
christmas office party games
christmas scavenger list for adults
ideas for christmas gifts in mason jars
free printable christmas word scramble
ugly christmas sweater party invitation wording
christmas weight loss team names
Nothing really jumps out. But how about this set:
christmas door decorating ideas
christmas door decorating contest winners
christmas coordinate plane graphs
Together with the "preschool bulletin board" example, it shows that many of the would-have-been victims were school teachers searching for holiday activities. (There were a bunch of additional "Christmas door" examples in the logs, by the way. And for the benefit of our readers who live outside of the U.S., it is a very common tradition in American schools for teachers to decorate their classroom door for upcoming holidays, and this can get pretty competitive at times, as the teachers vie for fame and glory within their school for having the best-looking door.)
Non-holiday SEP Examples
If holiday-themed searches weren't dominating the SEP attacks, did anything else jump out at me?
Not really. In skimming through the logs, I easily found examples from many of the categories that showed up in last year's more detailed research:
sample eagle scout letter of recommendation
sample personal statement nurse practitioner program
QA manager resume samples free download
Kids trying to get around the school web filter:
proxy to get on facebook at school
age of war 2 unblocked at school
Minor celebrity searches:(since major celebs have so much competition):
heather nauert swimsuit (I had to look her up: she's apparently a Fox News reporter)
conversion from nitroglycerin ointment to patch
left sided back pain worse at night
And one that I didn't highlight a year ago, so I suppose if there was something interesting that popped up, it would be this next category...
Year-end Performance Reviews:
employee year end performance self assessment examples
promotion announcement to all employees
answers to commanders safety course ver 3.1
performance appraisal phrases
But, in general, I suspect that last year's estimate of around 40% of SEP attacks targeting Miscellaneous categories still holds pretty true. They are all over the map...
I suppose it's bad enough that the cybercriminals are targeting holidays with their junk at all, but as I was looking through the logs for the "gift" searches, I came across a couple of examples that I wanted to highlight:
anniversary gifts for troubled marriages
romantic homemade gifts for girlfriend
And these made me realize why I really don't like the Bad Guys. Here were innocent people who were trying to do something really meaningful for someone they loved, and the stinkin' SEP gangs were trying to ambush them with scams or malware.
P.S. On a lighter note, I think a special award for "Most Interesting Gift Search Leading to SEP" needs to go the guy who thought that the perfect gift for his wife/girlfriend was a "pink camo stock for remington 870". (If he was the same guy who searched for "antlers for sale on ebay", she's going to be in for a big surprise on Christmas morning...)