In May, I wrote a big article about my investigation of a massive Google Image poisoning attack. A quick recap: cybercriminals created millions of doorway pages on dozens of thousands compromised websites. Those pages exploited a flaw in Google Image search algorithm that made it possible for pages with hot-linked images to hijack search results of websites where the images actually belonged to. The attack scheme was very efficient and hundreds of thousand (if not millions) people clicked on poisoned image search results every day.
Not only did I publish results of my investigation on my blog but also shared a great deal of gathered information (lists of compromised sites, algorithms, etc.) with Google and antivirus vendors. I hope this made some difference as I started observe changes literally the next day after the article publication.
In this 2-part series of posts, I will talk about what’s changed since then. Specifically about how Google addressed this problem (part I) and how cybercriminals changed the attack scheme (part II).
Soon (within a few hours actually) after I published my article and contacted Google, they started to actively blacklist compromised sites with doorway pages. They used secondary signs (such as images and iframes injected into main pages of compromised sites) to identify hacked sites. Within three days Google has blacklisted more than 15,000 such sites. Ten days later the number of blacklisted site was close to 35 thousand.
Blacklisting has helped to mitigate the problem in a short time: flagged sites don’t normally make it into Google Images search result. And even if you click on a blacklisted result in Image search (where, unlike web search, there are no visible malware warnings) you will be navigated to an interstitial warning page.
Moreover, the warnings themselves and Google’s notifications helped webmasters of affected sites notice and fix the problem.
As a result, this malicious campaign began to register significant decrease in traffic after May 5th.
from 8.62 million hits on May 5th to 6.41 million hits on May 6th (-25% in just one day) and to 1.67 million hits on May 16th (-80% in 10 days)
Nonetheless the attack is still in progress. Cybercriminals didn’t want to lose such a lucrative source of traffic and, around May 18th, they updated the tactics and changed the behavior of compromised sites making the problem less easily detectable.
Indeed, this change helped newly infected sites escape blacklisting. I have a list of more than 9 thousand sites infected with this new modification of a malicious doorway script and less than 3% of them are currently flagged by Googles (mainly for past problems). At the same time, Safe Browsing diagnostic pages of most sites say that Google checked them on dates when the sites (I know it) had malicious content but nothing suspicious was detected. This means that Google is aware that sites are worth scanning for malware (good) but their detection rate is extremely low (bad).
This low detection rate shouldn’t be considered as a new victory of spammers over Google. The thing is the new doorway pages don’t nearly do as well in Google Image search results as they did before May 5th.
I have looong lists of keywords targeted by the malicious doorways and I regularly check Google Image search results for those keywords (using my Firefox add-on that highlights hijacked and hot-linked search results — let me know if you are interested). Very rarely I can see poisoned results on the first page (mainly for long and quite unpopular queries like ["campbell brown afl"] – only 13,300 results or ["camera timer icon"] only 104 results).
When I try more popular queries or don’t use quotes for restrictive phrase searches, the chances to see poisoned results on the first page are quite low. Malicious results usually start to appear on the second page or even lower.
I hope these changes can be attributed to some improvements in Google’s algorithm that made it less easy to hijack top image search results using hot-linking along with unintelligible keyword-stuffed texts. At least, I don’t see any changes in the page-generating and inter-linking part of the new doorway algorithm.
Nonetheless, the chances to click on a malicious image search result are still pretty high and Google needs to pay more attention to this problem. After all, what’s the use in search results if many people have bad experience with Google images and now are reluctant to click on any image results?
As always, I’ll do my best to help them. I’ll send them my list of 9,000+ compromised sites and the full doorway script algorithm. In addition, in the second part of this series (really soon) I’ll describe what exactly has changed in this black hat SEO campaign since May 18th and what makes it less easily detectable. Stay tuned.