'Scareware' scammers abuse Google Trends to poison search results
They're riding the coattails of hot news, including Gmail's outage, to game Google
Computerworld - Cybercrooks are using one of Google Inc.'s own tools to poison search results with links that spread fake security software, a researcher said today.
"Malware distributors have abused Google Trends before," said Craig Schmugar, a senior threat researcher at McAfee Inc. "But I've never seen them use it as aggressively as they are now."
Google Trends, a tool the search giant rolled out last June, highlights the most popular searches of the past hour. At midday Thursday, for instance, the No. 1 search phrase, according to Trends, was "Obama budget."
Scammers and malware makers are closely monitoring Google Trends to guide them in selecting search phrases and legitimate news content, which they then integrate into their own fly-by-night sites, said Schmugar. The idea is to "game" Google into ranking their malware-hosting sites near the top on scores of high-profile, current events-related search results.
"I'm not talking about just a few sites," Schmugar said. "I've collected a lot of them, with poisoned links [in Google search results] that are pretty high up, almost always in the top 10."
News accounts recently abused by hackers have ranged from this weekend's stories about a worm spreading on Facebook to the attack last week by a chimpanzee that left a Connecticut woman in critical condition, said Schmugar. "They're grabbing content from pages that are already popular," he said. "They grab content from those pages and put it on their own site."
More recently, Schmugar has monitored poisoned links ranked high on searches for "Gmail down," a reference to the two-and-a-half hour outage at Google's Web-based e-mail service on Tuesday.
Because the malicious sites share the same content as legitimate pages that are currently of great interest -- and because the scammers also name those pages with the popular search phrases it pulls from Trends -- Google's ranking algorithms push those sites toward the top when people search for that news item or use those search strings.
"It looks like they're following Trends, which refreshes every hour, and then reacting very quickly to produce their own sites," said Schmugar. The only common element he's found so far among those sites is that they are all hosted on free site-hosting services. "Some portion of this must be automated," he added, to account for the quick reaction time to the hot searches and content touted by Trends.
All the poisoned links lead to sites that hit users with phony security warnings; those alerts then try to trick users into downloading a free antivirus program. The download, however, is actually a Trojan horse that continues to dun the user with fake warnings. The only way that users can stop the messages, and to supposedly clean their PCs of infection, is to pay for the worthless software.
Distributing "scareware," as the category is sometimes called, can be very lucrative. Last year, Joe Stewart, director of malware research at SecureWorks Inc., said he had found evidence that some hackers were making as much as $5 million a year from the practice.
Schmugar's advice? "Look carefully before you click," he said.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts