Hackers Rig Google to Deliver Malware

Game On: Google Bombed

This massive attack had three notable features that point to the sophistication and planning behind it. The first is the culprits' use of botnets to push a dark form of SEO (search-engine optimization), called a "Google bomb," to boost their sites' Google rankings.

"They did an extraordinary job optimizing the search results using the bots," Eckelberry says.

Second, the poisoned sites carried JavaScript code on their pages designed to stop visitors coming via other search engines from being attacked--only visitors who came through a Google search were hit.

"[This trick was a] way of flipping the finger at Google," says Eckelberry. Experts don't know the motive behind directing the attacks at Google users, but online crooks have targeted specific sites and companies in the past when they felt threatened. Google recently launched an online form for reporting a site that Web users believe might contain malware.

Third, the manipulated pages carried code that kept the attack sites from appearing in results if the entered search term included certain expressions that security researchers commonly use. For example, Eckelberry had recently written about using "inurl" and "site," two of the singled-out terms.

Despite Google's steps to eliminate the impact of comment spam on its search result rankings, the use of SEO techniques is growing in the online criminal underground. And bad guys don't employ the trick just to infect people's PCs. WhiteHat Security chief Jeremiah Grossman says that whoever hacked Al Gore's Web site recently added a link that could be seen only in the site's source code.

The link, which pointed to an online pharmacy site, was designed to give the drug site more relevance. Grossman says that, according to underground contacts, the top result for "buy Viagra online" is worth about $50,000 a month.

Subscribe to the Security Watch Newsletter

Comments