Vulnerabilities / Threats
7/28/2009
06:02 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Hot Trends Dictate Malware Targeting

Popular search terms get more dangerous, a security report finds. And crossword puzzle players should be particularly vigilant.

Spammers and scammers are increasingly using Google to identify topics that will tempt people to open malicious messages and click on malicious links. They're also gaming Google's search system to target people seeking answers to The New York Times crossword puzzle.

"In July, there was an increased prevalence of spammers utilizing Google's trending topic information as a method to determine new social engineering tactics," says the August threat forecast issued by MX Logic, a messaging security company.

Google Hot Trends provides a periodically updated list of the top 100 search queries. Using this information, cyber criminals can create links associated with trending search terms on various Web sites that point back to their malicious site.

Because Google's PageRank algorithm treats links as votes for higher prominence in search results lists, malicious sites can be promoted to the top of search results pages by gaming Google's system. This tends to generate a lot of traffic due to the popularity of the search terms.

This isn't a new problem for Google, which has been dealing with link spam and PageRank manipulation for years. In a blog post in February, Craig Schmugar, threat research manager for McAfee Avert Labs, noted that Google Trends was being used to target malware and that Google subsequently appeared to have removed the malicious pages from its index.

"We work hard to protect our users from malware," a Google spokesperson said in an e-mailed statement. "Many of these results have been removed from our index. However, this issue affects more than just Google, as these sites are still part of the general Web. In all cases, we actively work to detect and remove sites that serve malware from our index."

Google says that it uses manual and automated processes to deal with such issues and that it continues to look for new ways to prevent the problem.

A highly-targeted form of interest-driven attacks is being directed at people who use Google to help them solve The New York Times crossword puzzle. Google searches for puzzle clue phrases have started returning links to malicious Web sites.

According to The New York Times, one of the paper's legal counsels explained in an e-mail that the scam works because of the rarity of the phrases used as crossword puzzle clues. Creators of malicious sites can easily appropriate puzzle phrases to make their sites rank prominently in Google searches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.