Search Engine Poisoning: A Brief Update

April 5, 2013 - By Chris Larsen

[Update (4/19/2013): I was in Norway last week, doing a presentation on SEP at HackCon (takk!), which was a lot of fun. In addition to covering the basic material (presented last year in a 7-part series: 1, 2, 3, 4, 5, 6, 7), I wanted to also present some new research. A bit of that got posted here on April 5, before I headed over. This update adds the rest of the data. --C.L.]

 

It's been a few months since I dipped into our Search Engine Poisoning (SEP) logs, so I've been taking a look...

 

Kan du snakke norsk?

For starters, since I was going to be speaking about this in Norway, I wanted to look specifically for examples of SEP search term sets in a Nordic language (Norwegian, Swedish, Danish, Finnish, Icelandic). In a week of recent traffic (3/01-3/07), covering 11,362 different search term sets used in SEP attacks, I could only find 13 examples (about a tenth of a percent). So these languages are all in the "rare" category for SEP attacks. For anyone who's curious, here are a few examples:

hundpensionat östergötland
musfritt.se
charlotteskolen skoleintra
curling københavn
skolkatalog.se
okome-backagård

 

Big Events

While I was in Europe, there was a nice example of a "Big Event": the death of Margaret Thatcher, on 4/08. I looked at our SEP logs for 4/08-4/15, and found zero SEP clicks for searches on either "margaret" or "thatcher" (including trying various misspellings). Then, this week brought another major news story: the bomb attacks at the Boston Marathon (4/15).

So far, I've searched our SEP logs for 4/15 - 4/17, and I've only found one definite SEP click in the logs which was related to this event (it began with a search for "live coverage of Boston bombing"). This included checking any mentions of "boston", "bomb", "marathon", "suspect", etc. For comparison, since 4/15 is the deadline for filing income taxes in the U.S., I also searched the SEP logs that day for "tax" and "deduct" and quickly found 13 SEP clicks from tax-themed searches.

In contrast to the failure of the big SEP gangs to get much traction from targeting the attack in Boston, there was a widespread spam-based campaign that we blocked a lot of attacks for. (These e-mails led to sites hosting the Redkit exploit kit.) Then, when the next big tragedy came along -- the fertilizer plant explosion in Texas -- the spam campaign quickly shifted gears and began targeting this event.

This is all consistent with our "Big Event SEP" research from a year and a half ago: Big Event attacks are much more likely to come through e-mail, Facebook, or Twitter these days; there is just too much competition from legitimate content in the search engines.

 

Image Search

I also wanted to update the status of "Image-search based SEP" attacks. For four weeks in March (3/01-3/28), just 2.27% of SEP events originated from image searches. That's a significant drop from the 9.23% reported in last year's post. The search engines appear to have really stepped up their game in this area, and are making it harder for the SEP gangs.

 

Major Upshift in SEP Defense at Google

The most interesting finding to emerge from this month's research is probably that a clear separation has emerged in the "Who's the Safest Search Engine?" contest.

Back in the original research, we'd noticed, years ago, that Google seemed to do the best job of keeping dangerous links out of their results, but as of our research in Fall 2011, Bing and Yahoo appeared to have "caught up".

However, all of those observations were based on an older research methodology that involved a lot of tedious manual work, including visually inspecting search-result pages and counting shady links by hand. Our current SEP Attack logs contain a field for the originating search engine, which can totally automate the process, and I realized I'd never run a report based on these totals...

 

(Background note: Our SEP "search term tracker" currently only knows how to log results for Google, Bing, and Yahoo; we haven't done term-set loggers for Baidu, Yandex, etc. Accordingly, if you look at market share data like this, you need to remove the data for the other search engines, and recalculate the percentages, in order to do an apples-to-apples comparison to our logs. In other words, if we restrict the search engine world to just those three -- to match our SEP search-term dataset -- Google's overall share of the search market would be right around 90%.)

 

With that in mind, going back to the month of March 2012, Google was the source of 75.1% of the SEP attacks in our malnet traffic logs; Bing accounted for 17.6%; and Yahoo hosted 7.3%:

SEP breakdown by engine - Mar 2012

Since 75% is less than 90%, we can say that Google was doing a somewhat better job, proportionally, at keeping SEP links out of its results.

Now check out the numbers from the same month in 2013: just 41.4% of the SEP attacks began with a Google search, 43.4% began at Bing, and 15.2% came from a Yahoo search:

SEP breakdown by engine - Mar 2013

This indicates that Google is doing a significantly better job keeping SEP attack links out of its results than its rivals.

(Note that one of the posts from last year included a suggestion for how Google and Microsoft could improve their SEP defenses. Maybe one took the hint and the other didn't...)

 

Closing Observations

And a few other things I noticed while looking through the logs this month:

- The biggest current health-related topic, based on our SEP attack logs, is clearly green coffee bean extract. (Which I have to say matches up nicely with our spamnet research. Raspberry ketones, your star is fading...)

- The most popular on-line game, hands-down, is Minecraft, judging by how many kids are searching for "free", "hacked", and "unblocked" (i.e., at school) versions...

- We must be getting close to Annual Performance Review time. There are a lot of people looking for sample letters to write up their accomplishments for the past year, and their goals for the next one; and a lot of managers searching for the right encouraging words to tell those people.

- And sadly, people are still far too interested in NSFW -- not-suitable-for-work (or school) -- content.

Seriously, it would be nice for people to realize that there are SEP gangs who crank out material targeting all of these topics. Every day.

Look and think before you click!

--C.L.

@bc_malware_guy