A report from the security firm Blue Coat Systems identifies a rising threat to computer users in the enterprise and in the home: Search Engine Poisoning (SEP), in which Web pages delivering a malware payload are made to look like legitimate pages and include keywords that would cause them to come up in search results. At the same time, Blue Coat's mid-year security report identifies the rising threat of malware delivery networks (MDNs) that are growing in size by swallowing up smaller MDNs.
Although SEP has been around for a while as an attack method, it is now the number one emerging threat online, according to the Blue Coat report. Search engine-delivered malware is as much of a concern to enterprise workers as consumers because workers often legitimately use search in the course of their work, said Tom Clare, senior director of security product marketing for Blue Coat.
The way SEP works is that distributors of malware maintain large "link farms" where they create malicious links that represent all sorts of things people would search for online. Clare gave the example of Keen Footwear, a brand of hiking shoes. If someone searches for that brand in a search engine, as many as half of the top 10 results could be links to malware. SEP is particularly devious in that it doesn't actually have to infect the Web site of Keen Footwear but can still trick end users.
"When you click on that site it sees that you're coming from a search engine and because you came from a search engine with the query string 'looking for Keen shoes' at that compromised site, it then forwards you into the malware delivery network," Clare said. SEP doesn't attack users who go directly to a site.
Cyber criminals who use search engine poisoning look for URLs that are vulnerable to cross-site scripting (XSS), a weakness in Web applications that enables attackers to inject malicious code, said Scott Crawford, managing research director at Enterprise Management Associates.
"They may look like they are going to a legitimate site but they are taking advantage of the site's vulnerability to cross-site scripting to redirect the user to a malicious Web site," Crawford said. "[SEP] has been around a while but is rising in use because ... it enables attackers to use oftentimes highly rated or legitimate Web sites as part of an attack."
