Search terms lead to compromised sites, Google cleans database

According to a Trend Micro blog entry yesterday, Ivan Macalintal wrote, when he searched for “christmas gift shopping” in Google the search engine listed several .cn URLs that led to malicious sites.

He warned: “Searching for the above phrases can lead you to the malicious URLs. Clicking on these URLs then takes you to another site via a JavaScript, eventually leading to the download and execution of a malware.”

One site was titled ‘Christmas card with girl on phone! Shopping for christmas gift' with the URL Zxzgpxltkxt.cn/1278.htm.

Furthermore, Macalintal said the sites have an IFRAME that redirects users and installs malware.

“Expect more new ones [malicious sites] to come our way this Christmas,” he warned.

Adam Biviano premium services manager at Trend Micro said the malware can be dished up in any search engine.

“There’s no reason why [the threat] shouldn’t be on other sites,” he said.

Asked what page the dubious sites appear on, Biviano said he didn't have specifics but speculated the attackers could be using SEO techniques that a web designer would use to get a high search engine rankings.

“Websites don’t appear on search engines overnight. They may have uploaded these sites months ago and then added malware,” Biviano said.

On Wednesday afternoon, a Google Australia spokesperson said the searches are now clean and stated: "Sites that exploit browser security holes to install software (such as malware, spyware, viruses, adware, and trojan horses) are in violation of the Google quality guidelines, and may be removed from Google's index."

"Google takes the security of our users very seriously, especially when it comes to malware,” the spokesperson said.

In a blog post on SunbeltBLOG on November 26, Alex Eckelberry signalled the initial warning of this trend and said "a large amount of seeded search results which lead to malware sites in Google have been noticed."

Eckelberry warned: “Clicking on these links will expose the user to exploits which will infect a vulnerable system (in other words, a system that is not fully up-to-date with the latest patches)."

securityseoweb threats