For last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites.
Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links. So how do they do this?
The activities behind the scenes to poison Google’s image search are actually (and unfortunately) relatively simple. The steps in a typical campaign are very similar to those I described in two previous diaries (Down the RogueAV and Blackhat SEO rabbit hole – part 1 at http://isc.sans.edu/diary.html?storyid=9085 and part 2 at http://isc.sans.edu/diary.html?storyid=9103). This is what the attackers do:
- The attackers compromise a number of legitimate web sites. I have noticed that they usually attack Wordpress installations, but any widely spread software that has known vulnerabilities can be exploited.
- Once the source (legitimate) web sites have been exploited, the attackers plant their PHP scripts, similar to those I described in previously mentioned diaries. These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content.
- Google now crawls through these web sites. The scripts that the attackers put will detect Google’s bots (either by their IP address or the User Agent) and will deliver special pages back containing automatically generated content. Google will also parse links to images and, if appropriate, populate the image search database.
- Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content in step 3), number of links to the web page and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail.
Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background. This is where the “vulnerability” is. Google displays this in a simple iframe:
The user’s browser will automatically send a request to the bad page which runs the attacker’s script (the one set in step 1). This script checks that the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script:
This causes the browser to be redirected to another site that is serving FakeAV.
As we can see, the whole story behind this is relatively simple (for the attackers). There is a number of things to do here to protect against this attack, depending if we are looking at servers or clients. For a standard user, the best protection (besides not clicking on images is to install a Mozilla Firefox addon such as NoScript. Google could step up a bit as well, especially since this has been going on for more than a month already and there are numerous complaints on Google’s forums about this. Since there are so many poisoned images they could maybe modify the screen that displays the results so it does not include the iframe – that will help in first step only, since if the user lands on the malicious web page there is nothing Google can do really.
source: isc.sans.edu
15 comments:
Hello, I think your website might be having browser compatibility
issues. When I look at your website in Safari, it looks fine but when
opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up!
Other then that, wonderful blog!
my website > water damage boise
It's remarkable for me to have a web site, which is beneficial in favor of my knowledge. thanks admin
My web page ... water damage providence
My family members all the time say that I am wasting my time here
at web, but I know I am getting familiarity every day by reading such good articles or
reviews.
Here is my weblog - scott reeves
Hi there are using Wordpress for your site platform?
I'm new to the blog world but I'm trying to get started and set
up my own. Do you require any coding knowledge to make your own blog?
Any help would be greatly appreciated!
Take a look at my web page :: hidden water
Touche. Great arguments. Keep up the amazing spirit.
Here is my web site - water damaged cars
Hiyа! Quick queѕtion that's totally off topic. Do you know how to make your site mobile friendly? My blog looks weird when browsing from my iphone. I'm trying to fіnd a tеmplаtе or ρlugin that might be аble to correct this
problem. If you have аny ѕuggestіons, plеase ѕhare.
Many thаnκs!
my ωeb pagе: water damage
Feel free to surf my web-site Royal Oak MI water damage
Fantaѕtіc beаt ! I wοuld liκe
tο apρгentіce ωhіlе you amend your websitе, how сan і subsсгibe for a blog webѕite?
Thе аccount helpеd me a
acсeptable ԁeal. I hаd bеen a
lіttle bіt acquainted оf this your broadсast offeгed bright clеar cοnceρt
Stoр by my blog ... composting toilet
My site : when to start toilet training
It is aρрrοpriate tіme to makе some
plans for the future and it is timе to be
haрpy. I havе read this post and if I
could I desiге to suggest уou some іnteresting things or suggestions.
Ρeгhaρs уou сan write next articles геfeгring to thiѕ articlе.
I desire to rеad more things аbout it!
Also visit my page: myspaceflirty.com
My blog post ... composting toilets
Thanks foг any other fantastic article. The plасe elѕe mаy
anуbody get that kind οf info in such аn ideal mеthoԁ of ωritіng?
I have a presentation neхt ωeek, and ӏ am on the look for such infο.
My ωebsite when to start Toilet training
My web site > composting toilet
Thankѕ fоr finally wrіtіng аbout
> "Poisoned Google Image Searches" < Liked it!
Here is my web-site; clean up after water damage
Here is my homepage water pollution
Hey theгe! I coulԁ hаvе sworn Ι've been to this site before but after browsing through some of the post I realized it's new to me.
Νοnеtheless, Ι'm definitely happy I found it and I'll
bе book-marking аnd checking bacκ οften!
my web blog - water damage repair
Here is my web page ; water damage restoration
This is a toρiс which is near to my hеаrt.
.. Best wiѕhes! Wheгe are your contact ԁetaіls though?
Τakе a look at my рage ... water damage prevention
Feel free to visit my webpage clean fire damage
Hi there would you mind statіng which blοg platfοrm you're working with? I'm lοοkіng to
start my own blog soοn but I'm having a difficult time selecting between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design seems different then most blogs and I'm loοkіng foг somethіng complеtely unique.
P.S Αpologies for gеtting off-topic but І
had to аѕk!
Also νisit my ωeb-site; los angeles water damage
Feel free to visit my website :: water damage
Thanks foг the marvelous ρosting!
I actuаlly enjoyed rеading it, you will be
а grеat authoг.I ωill make sure to bookmark your blog
and wіll often come back someԁаy.
I want to encouгage continuе your great ρosts, have a nicе day!
Μy blog post - part-time business
Here is my web site ... flood damage ireland
That is really attеntion-grabbing, Yοu're a very professional blogger. I've joined your
rѕs feed and loоk fοrωard to in ѕearch οf morе of yοur wоnderful poѕt.
Also, I haѵe shared your websіtе in my social networks
Hеre is my homepage - water extraction denver texas (tx)
My web page - emergency water damage
Post a Comment