Poisoned links plague Microsoft's Bing search
Microsoft’s Bing is the king of poisoned search engine links. Or, perhaps it isn’t.
A recent study by Fraser Howard, a principle virus researcher at SophosLabs, suggested that the risk of clicking on a “poisoned” link while using Bing was more than twice that from using Google, even though Google has more than four times the “market share” of Bing in search engine rankings.
But, those results come with a few caveats. Howard noted both the duration and method of his research in his post on Sophos’ Naked Security blog: “Taking data from the last couple of weeks for search engine redirects blocked on our web appliance, it is clear that the majority of the redirects are affecting those using the Bing search engine,” he wrote.
Specifically, 65 percent of those redirects were from Bing searches, while only 30 percent were from Google.
However, Chester Wisniewski, senior security adviser at Sophos, said: “We are not suggesting that 65 percentof Bing searches were poisoned, rather that of the poisoned searches encountered by Sophos customers, 65 percent were from users who use Bing. This might only be 1 percent—we don’t know—of all Bing searches.”
Wisniewski said this does not mean Howard’s survey, brief as it was, lacked credibility. “On the assumption that the results from our poll are somewhat reflective of our customers, approximately 43 percent of our readers use Google and 20 percent Bing,” he said.
“You could argue, based upon those statistics, that there are four times as many dodgy results on Bing as on Google,” Wisniewski said. “That’s not the most scientific of studies, but based on my experience this seems to be the case.”
Howard said that both Bing and Google are much better at filtering malware-laden text links than image links. He said 92 percent of malicious results were found via image search queries. Clicking on a rogue image “results in being redirected to a malicious Blackhole exploit site (v2, naturally!),” he wrote.
Francis Bea at Digital Trends reported that cybercriminals use blackhat, or banned, search engine optimization (SEO) to “increase the chances that a URL will appear on the front page of a search engine’s results.”
Still, the obvious question is: What, if anything, is Google doing that makes it more successful in blocking blackhat SEO and filtering out malicious links?
Wes Miller, of the independent analysis firm Directions on Microsoft, said one factor in Google’s relative success could be its long relationship with VirusTotal, which culminated in its recent acquisition by Google.
“It’s not known if VirusTotal is the reason for, or helps to prevent, these malicious links,” Miller said. “But it needs to be taken in consideration.”
“I think that it is possible that Google has generally spent more time and energy protecting users from search-induced malicious content, and this is one of the net results of spending those resources,” he said.
Wisniewski said he doesn’t know why Google’s results were so much better than Bing, “but they do have a lot more experience at combating people who want to make a living manipulating search engines.”
However, Wisniewski said another survey taken at a different time could show markedly different results. “Like most situations in computer security, this is largely a cat-and-mouse game,” he said. “We see Google make changes to its search ranking methodologies and many bad results vanish—then slowly, over time, the criminals figure out how to game the new algorithm. Bing might just be at the wrong part of this cycle or maybe they just haven’t had as much practice as Google.”
Chris Larsen, malware research team leader at Blue Coat, said the Sophos results confirm the conclusions of its own report on malnets, which he said are expected to drive more than two-thirds of all web-based attacks this year.
“Thirty-five percent of these attacks begin with poisoned search engine results. Using the same techniques as legitimate companies that are trying to optimize their websites for higher positioning in search results, bad guys can position their bait sites with malware,” Larsen said.
He said the most effective way to defend against those threats is not to focus on, identifying and blocking malware payloads, but instead “the infrastructures that deliver them.”