Google poisoning and impersonations

When we look for something on the Internet, most of us will think of using Google’s search engine. Actually for a lot of people, the Internet starts with a Google search. Google quickly surpassed its competitors and has established itself as the reference in terms of online searches.
With a mission of presenting the best results as quickly as possible comes a certain responsibility. Indeed, we, as Internet users, trust Google to guide us to links that are safe and match our search query. That same trust we have when we see the Google logo can easily be used by hackers to design Google templates that look like the original, but are in fact dangerous websites.

Should we blame the giant search engine if we land on a malicious page that infects our PC after clicking on one of the links? Legally, we may not, but if this situation happened too much, we might get fed up and start using another search engine.

There has been a lot of talk recently in the media about Google poisoning. Basically, hackers hijack Google’s search results so that their malicious sites appear in the top ten results. Hackers create tens of thousands of sites specially crafted for Search Engine Optimization which somehow find their way to the first results’ page.

Figure 1: malicious page appears on Google. Thousands of those pages can be created in a matter of minutes to flood the other legitimate sites.

To give the search engine credit, Google is trying to remove those links as soon as it can. It also flags a lot of sites as dangerous and prevents you from directly visiting them. Stopbadware.org has done a lot of work into listing dangerous sites and gives webmasters explanations and tips.

Lastly, Google is not the only victim of search results poisoning. Microsoft’s Live Search
has had its fair share too.

Figure 2: a warning from Google: “This site may harm your computer”

The other problem, although this time totally out of the hands of search engines, is lookalike sites. This paper will not talk about the larger problem that is phishing whose main goal is to capture sensitive information (username/password, credit card number etc.) by using social engineering and other technical subterfuges.

Figure 3: Real Google page

Figure 4: Fake Google page

Let’s take a closer look at the fake Google webpage. There are several areas that have been changed. Although visually it looks pretty close to the original, the source code clearly shows the work of a hacker. An obfuscated JavaScript will try to launch an exploit. Also, as if it was not enough, an add-on is required to do the ‘Google’ search properly. The add-on is actually a Worm that will infest the PC and propagate to other machines.

The icing on the cake (at least for us malware researchers) is the redirection to the AdultFriendFinder website, when clicking on the Sign in link. Normally, this takes you to a page where you put your username and password to log into your Google account. Instead, you will land on an adult site.

Figure 5: Source code for the Fake Google page. Notice the part that says “secret code”… This is obfuscated JavaScript that hides malicious code.

Figure 6: Social engineering trick to download and execute a Worm.

Figure 7: The Sign in link actually redirects you to AdultFriendFinder.com

Figure 8: AdultFriendFinder.com sponsored by a pretty dubious affiliate

It is no big surprise that hackers target Google. Millions of Internet users depend on the search engine everyday for their work or personal research. There is also a lot of money involved in Search Engine Optimization (SEO) because businesses heavily rely on being listed by Google. So many tricks have been used (and certainly will keep on being used) to increase a site’s ranking. Better ranking means better traffic, which translates into
sales.

Well, hackers are getting really good at SEO, and it opens the door to millions of potential victims. The hackers can then contact the Adware / Rogue companies and make a deal to deliver their products through their ‘sales channels’. It is certainly a bad practice, but again, having a good conscience is not very high on their priority list.

Jerome Segura