Rogue Antivirus Lurks Behind Google Doodle Searches

In Esperanto the word is "malica." It means malicious and it's the best way of describing many of the search results Google visitors got Tuesday when the clicked on Google's front-page Doodle sketch, dedicated to Esperanto's creator.

It's the latest example of just how good scammers have become at manipulating Google search results. For months now, they've followed Google's Trending Topics section and then used search engine optimization techniques to push hacked Web pages up to the top of Google's search results, security experts say.

They do this by flooding hacked pages with keywords that are then recorded by Google's search engine.

Hackers have several ways of getting their code on legitimate Web sites -- lately they've focused on stealing FTP login credentials, according to Dave Michmerhuizen, a research scientist with Barracuda Labs.

The hacked sites that pop up when one clicks on Tuesday's Google Doodle include a hair salon in New Jersey, an Texas tree company, and a science fiction group.

On Tuesday, clicking on the illustration on Google's front page commemorating the 150th anniversary of the birth of Esperanto's creator L. L. Zamenhof, generated an awful lot of malicious search results -- taking visitors to dodgy advertisements or pages that tried to trick visitors into thinking their computers were infected and paying for fake antivirus software.

These results remained steadily in the top 5 to 10 search results for people who clicked on the Google doodle link today, and often filled up about half of the first few pages of results, Michmerhuizen said.

"I see this all the time," he said. "Poisoning a trend is nothing new, but in this particular case, it's a search where you actually click on Google's logo and you get results back from sites where half of the links have been compromised."

A Google spokesman said that this type of problem affects other search engines as well. Google is aware of Tuesday's Doodle problem and has "already removed many of these sites from our index," he added.

"To do this, we have manual and automated processes in place to enforce our policies," he said. "We're always exploring new ways to identify and eliminate malicious sites from our index."

Subscribe to the Security Watch Newsletter

Comments