Just as SQL attacks inject malicious code into databases, link farms "inject" malware into search engine results, according to Chris Larsen, malware research team lead for Blue Coat Systems. And the problem isn't going away.
Speaking at the RSA Conference in San Francisco today, Larsen said that search engine poisoning is easy to do and hard for search engines to detect.
"If the bad guys have something that works well and they do a lot of it, it behooves us good guys to understand it, so we can do something about it," he told the conference audience. In its summer and winter 2011 reports, Blue Coat found that 40 percent of the attacks it tracks began in search -- more than any other vector.
Search engine poisoning aims to lead innocent searchers to malware or scam destinations. First, black hats create link farms -- sites consisting of thousands of links to bogus pages. Then, they use bots to spam the web with links to the bogus sites by making nonsense comments on blogs and in forums. Larsen showed a screen grab from a forum discussion consisting of computer-generated usernames replying to each other with strings of links.
"To the search engine, that says this is an exciting story and people are involved," Larsen said. So, the engines rank the pages highly, allowing them to float up to the top of search results.
When a user clicks on one of these search results, he goes to a page where there's visible bait for humans in the form of the link name, which often references pornography or shopping deals. But, when clicked, the link goes instead to a script or a page where malware can be placed on the user's computer.
This scam works for two reasons, Larsen said. First, it generates tons of traffic, upping the likelihood of someone taking the bait. More important, he said, the scam attracts users who are already in "explore mode," clicking to unfamiliar sites. "They do this because they trust the search engine," Larsen said.
Unfortunately, Larsen said, "There is built-in hackability to the search model." Search engines are built to let people "inject" pages into the search index. But, while the version you give to a search engine might be totally safe when indexed by the engine, the search service might not notice that it's later hijacked. Because the search engine only serves the URL, when people click to make the page request from a server, it can serve them something different -- something with a hook in it.
Larsen said search engines have their hands full dealing people doing white and grey hat search engine optimization. "It's hard for them to pick the black needles out of the haystack," he said.
Some things have improved in the two years since Larsen started tracking search engine poisoning. For example, he's found that Bing and Yahoo now have no more poisoned search results than Google. In general, search engine poisoning attacks related to big events have also diminished.
On the other hand, Larsen said, he's seeing more attacks based on image search. These are harder for the search engines to detect algorithmically.
He's also noticed a rise in link farms that are dynamically generated to create the best match for a particular search query, helping them to show up at or near the top of search results.
Preventing search engine poisoning attacks begins with raising the level of awareness among searchers, Larsen said. He's found that, while most users understand that there could be malware in emails, many don't realize that it may be unsafe to click on some search results. He likes the safe preview feature now available from Google and Bing (which now powers Yahoo search, as well).
In the enterprise, system administrators can help prevent damage from poisoned search results by blocking dicey categories or domains with a secure gateway that intercepts traffic to and from blacklisted sites. It's also important, Larsen said, to secure company-owned sites -- including blogs and user forums -- so they don't become part of the problem.
Susan Kuchinskas covers technology, business, and culture from Berkeley, California.