Google Image Poisoning. Mitigation and the New Wave.
In May, I wrote a big article about my investigation of a massive Google Image poisoning attack. A quick recap: cybercriminals created millions of doorway pages on dozens of thousands compromised websites. Those pages exploited a flaw in Google Image search algorithm that made it possible for pages with hot-linked images to hijack search results of websites where the images actually belonged to. The attack scheme was very efficient and hundreds of thousand (if not millions) people clicked on poisoned image search results every day.
Not only did I publish results of my investigation on my blog but also shared a great deal of gathered information (lists of compromised sites, algorithms, etc.) with Google and antivirus vendors. I hope this made some difference as I started observe changes literally the next day after the article publication.
In this 2-part series of posts, I will talk about what’s changed since then. Specifically about how Google addressed this problem (part I) and how cybercriminals changed the attack scheme (part II).
Continue »»
Two Tweet Weeks: May 30 – June 12, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
SEO poisoning, Mac FakeAV vs PC FakeAV, the state of badware report, Readable SafeBrowsing addon …
Two Tweet Weeks: May 16-29, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
SEO poisoning, canonical hacks, SmartScreen, WordPress, Facebook clickjacking …
Unmasking “Canonical” Hacks
As a follow up to the recent Matt Cutt’s tweet and blog post about emerging rel=canonical hacks, I did a detailed guest post on StopBadware blog about this problem.
In that article, I wrote about how such hacks work and how cyber-criminals can use this hard-to-detect attack to hijack search results of compromised sites. You can also find a short review of a real “rel=canonical” attack that affected quite a few websites.
As always, I wrote about tools and techniques that can help you diagnose hacks that try to make Google think that your site has moved to a new domain name. Unfortunately, at this point no tools that I know of specifically check for rogue “rel=canonical” instructions. However, more universal file integrity monitoring solutions can be really efficient as they will inform about any unexpected modifications.
Continue (how Unmask Parasites reveals rel=canonical hacks) »»
Tweet Week: May 9-15, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning
This is a short follow up on my post about hacked sites that poisoned Google Image search results.
As I mentioned in that post, most compromised sites where hackers created malicious doorway pages, contained one of the following images or iframes in their legitimate index pages.
Continue »»
Thousands of Hacked Sites Seriously Poison Google Image Search Results
This investigation began a few weeks ago, when I came across the following two threads in website security forums:
[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»
[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»
This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.
Continue »»
Tweet Week: March 14-20, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Major Disasters in Poisoned Search Results
Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.
This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.
Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.
I decided to check the poisoned search results and here’s what I found:
Continue »»
Tweet Week: March 7-13, 2011
Selected short messages and links you might have missed if you don’t follow me on Twitter.
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
