Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Reality Check

What You Need to Know About Search Engine ‘Poisoning’

Created: 04 Jan 2010 • Updated: 03 Jun 2014
Ctrox's picture
0 0 Votes
Login to vote

Cyber-criminals are using search engines as platforms from which they deliver malicious code. It’s an increasingly common practice known as search engine “poisoning.”

Earlier this year it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue security software). The scammers were taking advantage of Google-sponsored ads for acquiring traffic and redirecting it to malware-infected copies of legitimate software.

In one case, a Google search for a popular data compression utility led to a fake downloads page hosting a bogus version of the utility. The end result was that the user was tricked into running a security scan using this rogueware and receiving confirmation that the machine was indeed infected. The criminals then attempted to sell a disinfection tool to remove the malware they installed on the victim’s machine.

The various tactics that cyber-criminals use to hoodwink users into downloading rogue security software are documented in Symantec’s recently released Report on Rogue Security Software.

Preying on users’ fears

To encourage unsuspecting users to install their rogue software, cyber-criminals place ads on search engine indexes that prey on users’ fears of security threats. These ads typically include false claims (such as “If this ad is flashing, your computer may be at risk or infected”), urging users to follow a link to scan their computer or get software to remove the threat.

Many of these scams are very lucrative and appear to be run by highly organized groups or individuals who maintain an effective distribution network. 

Symantec has observed a wide variety of methods employed by scammers to trick users into downloading rogue security software. For example, rogue security software sites may appear at the top of search engine indexes if scam creators have “seeded” the results.

Attempts to falsely promote search engine results usually rely on exploiting popular news items, events, or celebrities. Scam perpetrators use a range of “black hat” search engine optimization techniques to effectively poison search engine results and increase the ranking of their scam Websites whenever any topical news event is searched.

For example, the Downadup worm (also known as Conficker) emerged and spread rapidly late in 2008, with well over one million individual computers affected by the end of that year. To play on consumers’ fears of the worm, scam perpetrators created Website pages full of terms such as “remove virus” or “free antivirus,” etc. This increased the keyword count of the pages, thus making them seem more relevant to search engine relevancy algorithms.

Another method was used in the promotion of AntiVirus 2009, one of the most widely reported of these programs in the past year. In this approach, once AntiVirus 2009 is installed on a computer, it creates a browser helper object (BHO) that modifies all pages from a search engine by adding a fake “security tip” that appears to originate from the search engine company, complete with legitimate logos. In reality, this tip service is non-existent. The purpose of the tip on the Web page is to entice the user of the compromised computer to click on the link to “activate” Antivirus 2009.

Some misleading applications may actually expose a computer to additional threats because they instruct users to lower existing security settings in order to advance the registration process. Some of these applications are also programmed to prevent a compromised computer from accessing legitimate security vendor Websites, thus obstructing the victim’s ability to research how to remove the misleading software.

Another inherent risk is that, in addition to the immediate scam, the personal and credit card information that users provide if they register these fake products could be used in additional fraud or sold in the underground economy.

Protect yourself

There are a number of general measures that end users can employ to protect against fraud-related activities such as rogue security software and search engine poisoning:  

  • Raise your level of awareness. Scrutinize all search engine results thoroughly. 
  • Be cautious of pop-up displays and banner advertisements that mimic legitimate displays or try to promote security products. 
  • Do not accept or open suspicious error displays from within a Web browser as these are often methods rogue security software scams use to lure you into downloading and installing their fake product. 
  • Purchase security software only from reputable and trusted sources and only download applications directly from the vendor’s Website or legitimate partners. 
  • Exercise caution when browsing the Web. Since malicious attacks can result in the hijacking of open sessions, make sure to log out of Websites when your session is complete. 
  • Regularly review your credit card and other financial information as this can provide information on any irregular activities.