Vulnerabilities / Threats
7/28/2009
06:02 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Hot Trends Dictate Malware Targeting

Popular search terms get more dangerous, a security report finds. And crossword puzzle players should be particularly vigilant.

Spammers and scammers are increasingly using Google to identify topics that will tempt people to open malicious messages and click on malicious links. They're also gaming Google's search system to target people seeking answers to The New York Times crossword puzzle.

"In July, there was an increased prevalence of spammers utilizing Google's trending topic information as a method to determine new social engineering tactics," says the August threat forecast issued by MX Logic, a messaging security company.

Google Hot Trends provides a periodically updated list of the top 100 search queries. Using this information, cyber criminals can create links associated with trending search terms on various Web sites that point back to their malicious site.

Because Google's PageRank algorithm treats links as votes for higher prominence in search results lists, malicious sites can be promoted to the top of search results pages by gaming Google's system. This tends to generate a lot of traffic due to the popularity of the search terms.

This isn't a new problem for Google, which has been dealing with link spam and PageRank manipulation for years. In a blog post in February, Craig Schmugar, threat research manager for McAfee Avert Labs, noted that Google Trends was being used to target malware and that Google subsequently appeared to have removed the malicious pages from its index.

"We work hard to protect our users from malware," a Google spokesperson said in an e-mailed statement. "Many of these results have been removed from our index. However, this issue affects more than just Google, as these sites are still part of the general Web. In all cases, we actively work to detect and remove sites that serve malware from our index."

Google says that it uses manual and automated processes to deal with such issues and that it continues to look for new ways to prevent the problem.

A highly-targeted form of interest-driven attacks is being directed at people who use Google to help them solve The New York Times crossword puzzle. Google searches for puzzle clue phrases have started returning links to malicious Web sites.

According to The New York Times, one of the paper's legal counsels explained in an e-mail that the scam works because of the rarity of the phrases used as crossword puzzle clues. Creators of malicious sites can easily appropriate puzzle phrases to make their sites rank prominently in Google searches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.