Malware Delivery via your Friendly Search Engine, Compliments of the Bad Guys
Author: Ryan Spanier, firstname.lastname@example.org
I’ve talked with a lot of financial institutions over the years about malware alerts, and each time the first thing they want to know is, “How did we get infected?” They point to their state-of-the-art, up-to-date antivirus software and content filtering solution. They have spam and email threat detection. They even restrict personal USB flash drives in their environment. Of course, the “dirty little secret” is that no technology solution is fool-proof. Malware authors know exactly what they are up against, and they tailor their delivery methods to bypass your defenses. Their number one weapon? Your search engine. After all, hacking through firewalls and avoiding IPS sensors seems like a lot of work, so why not just let company employees download malware applications themselves?
Employees at institutions are generally using the Internet for business purposes; however, there are times when we may use the Internet to run errands like shopping, learning about world events, or paying online bills. That’s where the search engine comes in. Whenever we want to find out something new, whether it’s about world news or a new website, we turn to our friendly search engine. Unfortunately, so do malware publishers.
The technique is called “search engine optimization (SEO) poisoning.” Basically the algorithm search engines use to rank page results are based on somewhat public information. There are many techniques used to take advantage of these algorithms, but in the end all it means is what you find is not always what you were looking for. Once a user clicks on a malicious search result, they are taken through a few layers of redirection until they reach a malware-serving website. These sites will typically try a few different strategies to install malware on the machine:
Making matters worse, the bad guys are now targeting image searches as well, which are much harder to distinguish when searching.
- They are designed to look like antivirus or utility application warnings.
- They can exploit vulnerable out-of-date applications like Adobe Acrobat or Java.
- They are difficult to close without clicking a download area.
- They prey on user fear.
So, what can users do to protect themselves? Well, first off, stop relying on search engines for news. I know, it sounds crazy, and there are definitely perfectly acceptable times to use them. However, when searching for the latest news and gossip, try checking a well-known website like CNN or Fox News. Second, if you see a pop-up claiming you are infected with malware, don’t click on it, as usually this will initiate a download. Even worse, don’t install the application that’s downloaded either. Most importantly, notify your Information Security team so they can check out your system. Many users are fearful they did something wrong by browsing “non-business” websites and will try to fix the problem themselves so that they don’t tip off IT. This is very dangerous for both the employee and the institution. An institution’s best defense against SEO poisoning is user education. Be sure users are aware of the threats search engine results pose, and, most importantly, that they aren’t afraid to let you know when something suspicious happens.