It used to be one was at most risk of getting a computer virus via spam or frequenting bad Internet neighborhoods (places one probably shouldn’t be hanging out in the first place, picking up just any old download they come across). These days malware pushers have come out in the open where the masses collect, and places like Google, Facebook, and Twitter are starting to resemble the Time Square of old—with peril and vice all around.
Today’s aggressive and spooky abuse of trusted giants reveals just how sophisticated and manipulative these guys have become. By following Google Trends, and with some sharp SEO skills to take advantage of Google’s famed real-time indexing, Scammers are directly targeting Google’s search results, trusted by as many as 70 percent of Internet searchers.
McAfee researcher Craig Schmugar points to the recent Gmail outage as an example. When that happened, many were searching for the cause or solution to the problem, and Schumagar shows how a malicious link copying verbatim the top news source text as a snippet, shows up fourth in the search rankings, following highly recognizable and trusted sources like Google News, Digg.com, and Mashable.
A subsequent link query found the domain linked to several other trending topics: Quiznos (a free sub giveaway promotion), Sharon Stone at the Oscars, Extreme Makeover foreclosure, Nicky Hilton, IHOP all you can eat pancakes promotion. All of them obviously target what the average searcher may be seeking.
That same malicious link—which led to a scareware prompt only if arriving via a search engine (gibberish if you just enter it into a browser, thereby masking the intent some)—was also found directly on the Google Trends page for Ash Wednesday, which was yesterday.
“I do not recall any previous attacks abusing Google Trends this aggressively,” said Schmugar. “The malicious links are being distributed across numerous sites, targeting many high-profile search terms, and the poisoned links are regularly appearing high up on Google results pages.”
Because of this, Schmugar doubts there is a link between the “Error Check System” message many Facebook users received. Facebook has been criticized for allowing this because the company doesn’t verify or approve third party applications. Allowing the app allowed friends to be spammed with the same message, and searching the phrase led them to similar scareware index-related peril.
However, this new aggressive targeting of popular search trends, and Facebook’s odd spam messaging, occur simultaneously with other social/Google-related incidents. This week, Google Talk users were bamboozled by an invitation to click a shortened (read: masked) URL to a dangerous supposed video site.
To reach email inboxes more frequently, spammers are masking links typically ousted by filters by using Google search links to the target site instead of the URL itself. Twitterers also fell prey to URL shortening “Rickrolls” to dangerous sites recently, submitted by people they follow. Why are they following scammer strangers? Because some use scripts to follow those who follow them automatically to build up their follow lists. In addition, Twitter doesn’t verify email addresses, making it easy for spammers to sign up.
Targeted trusted social networks and social applications may have two purposes. One is obviously to abuse the trust users themselves place in them. The other may have to do with SEO. Everybody and their brother might create content based upon explosive search trends, but their not reaching the top of the search results that quickly. Scammers are likely arriving there by taking advantage of trusted sites to gain “trusted” links, largely upon which Google bases its results.
InternetStormCenter’s Swa Frantzen illustrated how malware users dupe webmasters into giving over their trusted link juice. By posing, for example, as a webmaster from a university, scammers email a webmaster of a site linking to the university’s site and say that site will no longer be active in the coming week, thus breaking that webmaster’s outgoing link. The scammer tells the webmaster to link to another domain instead (maybe a similar dotcom instead of a dotedu), which is in fact an iframe imposter.
All of this is creating a perfect storm of trusted website abuse leaving millions upon millions vulnerable. All of the sites mentioned need to take aggressive steps against these actions. Google needs to make some adjustments to its crawlers, Facebook needs to start verifying and approving third party apps, Twitter needs to start requiring valid email addresses, and users should be wary of shortened URLs supplied by strangers.
