Thursday, June 3, 2010

Tricks to easily detect malware and scams in search results

As we've shown before, fake antivirus pages are hiding behind hacked legitimates sites, which are used as a redirectors between Google/Bing/Yahoo search results and malicious target sites. The user clicks on a link in Google/Bing/Yahoo lands on the hacked page and is then redirected automatically to the fake AV site.

Let's take this example:
  1. A user looks for "this is a test" on Google.
  2. The user goes from http://www.google.com/?q=this+is+a+test (Google search result) to a hacked site http://example.com/index.php?q=this+is+a+test (search result)
  3. He is then automatically redirected to http://evilcom/index.php (fake AV page).

How can you easily spot potential fake AV page directly from the search results, or avoid to be redirected to the malicious page? Unfortunately, you cannot count on your antivirus or browser blacklists. There are two tricks you can use.

Recognize a site has been hacked

Attackers create new virtual pages on hacked sites. They all look pretty much the same - for example:

hxxp://<page>.php?=http://cuedspeechminnesota.org/venzi.php?sell=old%20navy%20shooting

Because the query string (sell=old%20navy%20shooting) is similar to the search term, it will be highlighted in the Google results. Check for links with a .php file extension, a query string with a single variable ('sell' in the example) and a value similar to the search term (old%20%navy%shooting or old+navy+shooting or old-navy-shooting, etc.).

This suspicious link is indeed a redirection to fake AV page


Avoid the redirection to the fake AV page

The hacked pages check if the user is coming from Google, Bing or Yahoo by looking at the HTTP Referer header. If the page is accessed directly, the user is either redirected to a different site (typically  http://www.cnn.com/) or the original page used to spam the search engine is displayed. In both cases, the user is not at risk.


Harmless Search Engine Optimization (SEO) page

So, if you spot a suspicious search result, copy the URL (right click on the link + Copy Link Location), and paste the URL in a new tab. Because your Referrer header is empty in this case, you will not be redirected to the fake AV page in most cases.

These two tricks can be integrated in a security scanner to scan the search results: access the same URL with an empty referrer, and with a referrer that contains http://www.google.com/ to check if you are redirected to different domains. If this is the case, it is very likely to be a fake AV page (60% of the cases we found) or a shady/fake search engine (40% in our research).

-- Julien

1 comment:

Anonymous said...

Hello Julien,

I discovered your site, and this article - only recently - Oct.2010. Congratulations for you! I put your link on VOP site: http://forums.voiceofthepublic.com/smf2/index.php/topic,88.msg426/topicseen.html

Best Wishes,
PROROOTECT