Search Engine Poisoning: One More Thing To Worry About

A report from the security firm Blue Coat Systems identifies a rising threat to computer users in the enterprise and in the home: Search Engine Poisoning (SEP), in which Web pages delivering a malware payload are made to look like legitimate pages and include keywords that would cause them to come up in search results. At the same time, Blue Coat's mid-year security report identifies the rising threat of malware delivery networks (MDNs) that are growing in size by swallowing up smaller MDNs.

Although SEP has been around for a while as an attack method, it is now the number one emerging threat online, according to the Blue Coat report. Search engine-delivered malware is as much of a concern to enterprise workers as consumers because workers often legitimately use search in the course of their work, said Tom Clare, senior director of security product marketing for Blue Coat.

The way SEP works is that distributors of malware maintain large "link farms" where they create malicious links that represent all sorts of things people would search for online. Clare gave the example of Keen Footwear, a brand of hiking shoes. If someone searches for that brand in a search engine, as many as half of the top 10 results could be links to malware. SEP is particularly devious in that it doesn't actually have to infect the Web site of Keen Footwear but can still trick end users.

"When you click on that site it sees that you're coming from a search engine and because you came from a search engine with the query string 'looking for Keen shoes' at that compromised site, it then forwards you into the malware delivery network," Clare said. SEP doesn't attack users who go directly to a site.

Cyber criminals who use search engine poisoning look for URLs that are vulnerable to cross-site scripting (XSS), a weakness in Web applications that enables attackers to inject malicious code, said Scott Crawford, managing research director at Enterprise Management Associates.

"They may look like they are going to a legitimate site but they are taking advantage of the site's vulnerability to cross-site scripting to redirect the user to a malicious Web site," Crawford said. "[SEP] has been around a while but is rising in use because ... it enables attackers to use oftentimes highly rated or legitimate Web sites as part of an attack."The Blue Coat report also sheds new light on the prevalence of malware delivery networks (MDNs) and, particularly, the threat they pose to enterprises.MDNs pose a threat to users when they are linked to from online games, pornography, online gambling and other sites that would likely be blocked on corporate networks, said Clare, but they can also be delivered through sites that could have a legitimate work use such as online storage, software downloads, search engines and others.

Some MDNs are short-lived in that they only exist for a few weeks, such as an MDN that lured users to free pirated copies of one of the popular "Twilight" movie series, a search for "Osama bin Laden death photos" or other popular topics, he said: "It's like there's a freeway and someone just put up a new exit sign and 10 minutes later that exit sign goes away. But what road does that take you down?"

In other cases, while the number of MDNs declined in late May, it was probably because smaller MDNs were acquired by larger ones, combining their talent and resources to launch more attacks, Clare said.

Blue Coat is not the only security company that provides this kind of protection but they are able to leverage their strength in enterprise network optimization to provide this kind of security, said analyst Crawford.

Blue Coat has "a pretty strong footprint" in markets such as network application optimization, client side WAN optimization and app acceleration, he said. "This gives them a rather unique perspective on visibility into that [security] environment."

See more on this topic by subscribing to Network Computing Pro Reports Security That Never Sleeps (subscription required).