Following the post on “Web Security: the Google paradox”, I wanted to compare the number of malicious search results for major search engines including Google, Bing and Yahoo!. The question that I wanted to answer - do any of them do a good job filtering results to protects users?
Same-day trends
I started by scanning the top-searches (according to Google Trends) over the course of three days.
| Bing | Yahoo! | ||||
| terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-100 | bad links in top-100 |
| what becomes of the broken hearted | 0 | 9 | 13 | 0 | 0 |
| miegakure | 0 | 11 | 27 | 0 | 0 |
Google | Bing | Yahoo! | |||
| terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-100 | bad links in top-100 |
| diddy dirty money | 2 | 10 | 13 | 0 | 0 |
| the room | 0 | 0 | 0 | 0 | 0 |
| miegakure | 2 | 8 | 11 | 0 | 0 |
| ruben studdard | 0 | 0 | 1 | 0 | 0 |
| fledgling | 0 | 0 | 3 | 0 | 0 |
03/31 trends
Google | Bing | Yahoo | |||
| terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-100 | bad links in top-100 |
| topeka | 0 | 0 | 1 | 0 | 0 |
| google april fool | 0 | 5 | 6 | 0 | 0 |
| uss nicholas | 0 | 1 | 3 | 0 | 0 |
| the room | 0 | 0 | 0 | 0 | 0 |
| google topeka | 0 | 3 | 14 | 0 | 0 |
april fools 2010 wiki | 3 | 9 | 18 | 0 | 0 |
04/01 trends
Google is the only search engine to display malicious links to the user for the most popular searches on each day investigated.
Older trends on Google, Bing and Yahoo
To find out if Yahoo and Bing are better at filtering their search results, or if they are simply slower to pick up new pages, I scanned the top trends a few days later. This way, the engines were given additional time to identify new web pages.
On March 26, 2010, I scanned the first 100 search results, for each of the top 20 Google Trends phrases:
query | bad links in top-10 | bad links in top-50 | bad links in top-100 |
mennonites | 0 | 0 | 0 |
jesse james mistresses pictures | 0 | 0 | 0 |
beyonce pregnant confirmed | 1 | 4 | 7 |
paula deen | 0 | 0 | 0 |
quicken loans arena | 0 | 0 | 0 |
ohio appliance rebate | 1 | 3 | 4 |
jordan jeter throwback | 1 | 1 | 1 |
hot tub time machine review | 0 | 0 | 1 |
north korea | 0 | 0 | 0 |
pax east | 0 | 2 | 6 |
bush wipes hand on clinton video | 0 | 0 | 2 |
somer thompson | 2 | 3 | 3 |
womc 1043 | 4 | 12 | 12 |
south korea | 0 | 0 | 0 |
camden 5 | 1* | 13 | 14 |
spokeo | 0 | 0 | 0 |
ed schultz | 0 | 0 | 0 |
alpha lipoic acid | 0 | 0 | 0 |
how to train your dragon review | 0 | 0 | 0 |
The number of malicious links differs significantly based on the search terms used. It seems that celebrity gossip is a prime target.
One of the most shocking findings is that the number one link shown by Google for “Camden 5” leads directly to a malicious site! For this search, more than 10% of the first 100 links are malicious.
On March 30th, 4 days later, I re-scanned the 3 search terms with the largest number of malicious links from March 26th, on all 3 major search engines:
| Bing | Yahoo | ||||||||
| terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
| beyonce pregnant confirmed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 6 |
| womc 1043 | 0 | 1 | 1 | 0 | 1* | 1* | 0 | 9 | 14 |
camden 5 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 7 | 16 |
Google did not show any valid links to malicious sites. Unfortunately, this is not as a result of any filtering of their results. Some of the malicious pages were down, but still showing up in the top-100. The other malicious links had lower rankings, but were still present in Google’s index.
Bing showed only 1 hacked page that redirected to p3p0.com. Yahoo had the worst results - up to 16% of the links were malicious.
The malicious pages identified were virtually all fake AV pages. The remaining bad links on Google and Bing all redirected to xorg.pl. Yahoo had a greater variety of bad domains: liveantivirusc.com, liveantivirusz.com, live-antivirusy.com, 91.213.157.23, xorg.pl, etc.
I did the same experiment over the next few days:
Google | Bing | Yahoo! | |||||||
terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
titivating | 0 | 3 | 3 | 0 | 0 | 0 | 1 | 4 | 4 |
erik menendez | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
ricky martin comes out | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
04/02: revisiting the 03/29 trends
Google | Bing | Yahoo | |||||||
terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
who went home on dancing with the stars | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 3 | 5 |
dancing with the stars 2010 voting | 0 | 1 | 1 | 0 | 1* | 1* | 0 | 0 | 0 |
treat her like a lady | 0 | 0 | 0 | 0 | 1* | 0 | 1 | 12 | |
jaime escalante | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
turn to 10 | 0 | 3 | 3 | 0 | 0 | 0 | 1 | 8 | 10 |
lee najjar | 0 | 2 | 2 | 0 | 0 | 0 | 0 | 2 | 3 |
eharmony login | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
allison meyers | 1 | 3+ | 5 | 0 | 0 | 0 | 0 | 5 | 6 |
04/03: revisiting the 03/30 trends
* redirection to p3p0.com
* redirection to p3p0.com
Google | Bing | Yahoo | |||||||
terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
topeka | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
google april fool | 0 | 4* | 5 | 0 | 0 | 0 | 0 | 0 | 0 |
uss nicholas | 0 | 3* | 5 | 0 | 0 | 1 | 0 | 0 | 0 |
the room | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
google topeka | 0 | 4* | 9 | 0 | 1** | 5** | 0 | 0 | 0 |
04/04: revisiting the 04/01 trends
* redirections from consultenet.com to xorg.pl
** redirection to p3p0.com
*** first 2 links are malicious
* redirections from consultenet.com to xorg.pl
** redirection to p3p0.com
*** first 2 links are malicious
Google | Bing | Yahoo! | |||||||
terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
tri energy | 4 | 39* | 86* | 0 | 0 | 0 | 0 | 2 | 4 |
john forsythe | 0 | 0 | 12 | 0 | 0 | 0 | 0 | 0 | 0 |
disneyxd.com/doof | 0 | 1 | 2 | 0 | 0 | 0 | 0 | 3 | 6 |
mendicant | 0 | 17 | 38 | 0 | 0 | 0 | 0 | 1 | 2 |
epic google | 0 | 26 | 50 | 0 | 0 | 0 | 0 | 0 | 2 |
04/04: revisiting the 04/02 trends
* additional malicious links were down. See previous post.
* additional malicious links were down. See previous post.
Google | Bing | Yahoo! | |||||||
| terms | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 | bad links in top-10 | bad links in top-50 | bad links in top-100 |
| diddy dirty money | 0 | 1**** | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| the room | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| miegakure | 0 | 3 | 4 | 0 | 0 | 1 | 0 | 0 | 1 |
| ruben studdard | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| fledgling | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| sarah jessica parker dead | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 2 |
| heather mccomb | 1 + 2* | 3 | 3 | 0 | 0 | 0 | 0 | 0 | 4 |
| the room movie | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
| american idol didi | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| ps3 update 3.21 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| nicki minaj massive attack video | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
kmbz glenn miller | 0 | 0 | 0 | 0 | 2 | 2 | 4 | 27 | 51 |
| susan anton | 0 | 0 | 1 | 0 | 0 | 1 + 2** | 0 | 0 | 1 |
| ann margaret | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1*** | 6 |
who got kicked off dancing with the stars tonight | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 5+1** |
| april fools pranks for parents | 1 | 1** + 1**** + 1 | 2** + 3**** + 1 | 0 | 0 | 2** | 0 | 1 | 3 |
what becomes of the broken hearted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
04/05: revisiting the 03/31 trends
* flagged by Google as potentially harmful
** redirection to p3p0.com
*** redirection to porn, might be intentional
* flagged by Google as potentially harmful
** redirection to p3p0.com
*** redirection to porn, might be intentional
After 2 to 4 days, Yahoo starts showing more and more malicious links, and Google has fewer and fewer. Malicious links on Google tend to rank lower (below #100) after 3 to 4 days, and Google displays a warning for more of them.
I found only one link on Bing that redirected to a malicious fake antivirus page (xorg.pl, again). Rarely. There were also malicious links redirecting to malware on download websites like rapidshare. Finally, there were a few hacked sites that redirected to p3p0.com that were not removed for several days.
Google, a victim of its own success?
Malicious links are showing up on Google must faster that on Yahoo. One of the reasons for this is the fact that Google is much faster to pick up new pages. For example, it took Yahoo 4 more days longer than Google to find the new (hacked) pages on consultenet.com.
On 04/01, Yahoo’s index included only 6 pages from consultenet.com
On 04/05, Yahoo now displays 137 pages on consultenet.com
Also, I have noticed that about 60% of the consultenet.com links inside a yahoo search do not redirect to a malicious domain, whereas all consultenet.com results in Google do. It is possible that attackers target Google specifically: fakes pages can be tailored to the Google ranking algorithm, etc.
Bing does not show any of the malicious pages from consultenet.com. Time will tell if they were excluding the pages on purpose as they were identified as malicious, or if Bing is even slower than Yahoo! When it comes to finding new pages. However, it did show links to hacked sites that redirected users to p3p0.com, which did not spread malware.
Google and Yahoo need to step up to the new security threats. They are becoming an important target for malicious hackers. They need to update their tools to filter out the sites used to redirect users to harmful pages. Google knows about some of these sites (as they show up in Google SafeBrowsing results), but Google fails to warn users most of the time.
-- Julien
-- Julien
Posts
0 comments:
Post a Comment