Monday, April 5, 2010

Google search: more links are malicious than you realize

It is not uncommon to find malicious links in 15% to 20% of the first 100 results returned by Google for any popular search term (according to Google trends). If Google doesn’t take the Blackhat SEO problem more seriously, the total number of malicious links is bound to increase and this may already be happening.

The top search on April 2nd was “tri energy”. I am not sure why it became so popular, but don’t google it: more than 90% of the first 100 links are malicious! Here is what I found for this search on April 4th:

  • 86 links were sending users directly to a malicious, fake antivirus page that tries to install malware. This is the same issue, with the same domain name (xorg.pl) involved in most of the redirections that I detailed in a previous post.
  • 4 malicious links were down or Google displayed a warning page
  • The first 5 links on the first page of results were legitimate

One of the too few warnings from Google

Same search on Bing and Yahoo

For the same search, Bing did not show any malicious links. Yahoo! displayed 4 malicious links on pages 2, 6 and 7. At this point, I’m not sure if Bing and Yahoo! do a better job at cleaning up their search results, or if they are simply slower at picking up new pages.

8 hours later

I have re-scanned the Google results 8 hours later and things are a bit better. There are still only 10 legitimate links in the first 100 results, but Google displays a warning for 87 links. Only 3 malicious links redirect to a harmful site.

Google warns the users to not follow these links. Why do they even show them?


Not an exception

This number of malicious links may be extreme in this example, but the overall problem of attackers leveraging SEO optimization is not rare at all. For the same day, the #5 Google Trends search term,  “epic google”, 50% of the first 100 links are malicious. For the #2 search term, “mendicant”, 38% of the links are malicious. It took 2 days to Google to start clean up the results, from April 2nd to April 5th in the morning.

I do not understand why Google decides to include malicious links in their search results. Depending on the user’s browser version, clicking on these links can be harmful to users, or display useless content. In both cases, users do not want to visit these sites.

-- Julien

6 comments:

smalltalkhacker said...

There could be a number of reasons for including links identified as malicious.

1. A general reluctance to censor results.
2. A level of humility regarding the assessment of whether or not a site is hosting malware or not
3. An acknowledgement that sites which otherwise host useful content may have been hacked

By warning the user that the site hosts or potentially hosts malware they at least offer the choice of whether or not to access the site.

ReneS said...

How about that?

* the page/site was ok when Google indexed it
* the site was modified after it was included
* Bing/Yahoo are just slower to find new pages, therefore they saw the bad version of it
* it takes Google some time to revisit pages.

Does it make sense?

Julien Sobrier said...

Rene S:

Google knew the domains it shows were spreading malware as I've shown in a previous post (http://research.zscaler.com/2010/04/how-google-is-not-tackling-blackhat-seo.html)

The redirection pages did not exist before the site was hacked. All these pages were created to harm users. But they do show "good" content to Google.

I'll post more information about Yahoo and Bing, but Yahoo does not seem to know that some pages are bad. It just take longer for new pages to be included in Yahoo's index.

Even after Google has flagged some domains as potentially harmful, it does not always display a warning. I don't know yet if it just a matter of times before it warns users about all these hacked sites.

Julien Sobrier said...

smalltalkhacker: when Google shows 90% of malicious link, users are not going to find any useful information. I did not make it clear that all the malicious pages were added after the site was hacked, so they do not contain any valuable content.

Also, it took 48 hours to start warning the users.

The could use the SafeSearch option to display dangerous links to users who turn it off explicitly, and protect the vast majority of users, like me, who don't want to take such risk.

Brad said...

This is indeed a grave problem.Malicious sites can be quite harmful to the system in terms of security & infestation it can cause.So, google's SafeBrowsing initiative is an appreciable move. Also the open source search platforms are safer in this regard due to their lesser commercial involvement. Solr is one of the advanced open source search platforms which is making it's mark in the open source world.Recently , I reviewed Solr's referral guide(http://www.lucidimagination.com/Downloads/LucidWorks-for-Solr/Reference-Guide )to understand it's working fundamental which was knowledgeable

Brad said...

This is indeed a grave problem.Malicious sites can be quite harmful to the system in terms of security & infestation it can cause.So, google's SafeBrowsing initiative is an appreciable move. Also the open source search platforms are safer in this regard due to their lesser commercial involvement. Solr is one of the advanced open source search platforms which is making it's mark in the open source world.Recently , I reviewed Solr's referral guide(http://www.lucidimagination.com/Downloads/LucidWorks-for-Solr/Reference-Guide )to understand it's working fundamental which was knowledgeable