Search engines display results along with links sponsored by advertisers. Sponsored links are generally placed atop non-paid results, in order to provide higher visibility. Due to this fact, there is a higher chance of an end user clicking on these links. We have previously seen popular search engines returning sponsored links leading to malware sites. This time we’re seeing Microsoft’s new search engine Bing as well as Yahoo! with sponsored links leading to malicious websites. When you search for keyword “advertising” using Bing or Yahoo!, the search engine will return results with sponsored sites. One of the sponsored sites contains a link to a malicious website. Here is search result:
If you click on the link mentioned in above image, you may be infected by malware. Looking at the source code of the page shows that malicious script has been injected into the webpage, which points to a malicious third party site. Here is the screenshot of the source code.
In the screenshot, you can see that the page contains one script tag which links to malicious website. When you open the malicious site using Firefox or Chrome, you will be alerted with warnings as the site has been blacklisted via the Google SafeBrowsing initiative.
The attackers are very active and they keep finding new ways to infect users. The question remains– why is this paid advertising link being displayed even if it contains a malicious link? Why are search engine vendors not filtering sponsored links? This is especially perplexing as they have knowledge of the infection (Google maintains Google SafeBrowsing content). There are two reasons why the page may contain malicious content in the first place,
1) First, the sponsored site is owned by attackers and was intentionally set up to spread malware. In this case, an initial scan of the page content prior to inclusion in the list of authorized sponsors would have prevented displaying the malicious link.
2) Second, the sponsored link is for a legitimate web site, but was infected with malicious content due to a vulnerability in the site (e.g. via SQL injection). In this scenario, as the infection could have occurred at any time and search engines would need to continually scan page content to detect the infection.
2) Second, the sponsored link is for a legitimate web site, but was infected with malicious content due to a vulnerability in the site (e.g. via SQL injection). In this scenario, as the infection could have occurred at any time and search engines would need to continually scan page content to detect the infection.
Although this attack scenario has been known for some time, the search engines are failing to filter out these malicious results. If sponsored links are not being properly scanned for security issues, users will remain at risk. Search engine providers not only have to scan sponsored links for security threats initially, but must also do so continually, in order to ensure that attackers have not infected otherwise legitimate sites. This also means that end-users need to ensure that they have appropriate protections in place to inspect all page content in real-time, regardless of the source. Even search engine results can’t be trusted.
Umesh
Posts
0 comments:
Post a Comment