Major hacker attack distorts search engine results

A well-organized attack caused search engines to return links to sites that spread malicious software. The immediate impact on retailers seems limited, but the attack points to the potential for future mischief.

Don Davis

A well-organized attack this week resulted in search engines returning results that included links to hacker sites that try to download malicious software onto visitors’ computers. The immediate impact on retailers likely was limited, but the attack points to the potential for future mischief.

To prepare the attack, the hackers created tens of thousands of web sites crammed with common search terms, and used thousands of previously infected computers to post links back to those sites onto online forms and bulletin boards, thus making those sites appear important to search engines, according to security firm Sunbelt Software, which first posted information on the attack on the company blog Sunday.

“Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking,” wrote Adam Thomas, a Sunbelt researcher. “Just about any search term you can think of can be found in these pages.” Sunbelt found the malicious links showed up prominently in search results for such terms as “batman movies,” “halloween pumpkins,” bicycle races,” “infinity” and “hospice,” as well as for the networking gear Thomas was searching for when he stumbled across the suspicious links.

Clicking on a link brought users to sites that prompted them to download an innocent-seeming piece of software that would infect their computer. The malicious software, or malware, in some cases would generate pop-up ads, or record keystrokes in order to obtain passwords and other confidential information. In some cases, the downloaded software would, unknown to the user, click repeatedly on sites to generate affiliate marketing or advertising commissions for the site owners, Sunbelt says.

By Tuesday evening, Google, the leading search engine, had acted to block the hacker-created pages from appearing in its search results, Thomas said, although he said today that new malicious sites were starting to appear. He says Microsoft, operator of the No. 3 search engine, Live Search, was working on it, and he had not been in touch with the second-leading engine, Yahoo.

"Google works hard to preserve the quality of our index," a spokeswoman said. "We actively identify sites that serve malware or abuse our quality guidelines in other ways. Sites that exploit browser security holes to install software (such as malware, spyware, viruses, adware, and trojan horses) are in violation of our quality guidelines and may be removed from Google`s index. The same is true for spam. In egregious cases, we will remove spammers from our index."

Yahoo issued the following statement: “Yahoo! is very serious about protecting its users from malicious sites on the Web. Malware is an ongoing battle for all search engines and Yahoo has processes in place to quickly remove these sites from its index.” And a Microsoft spokeswoman said, “We are aware of the issues and are working to rectify the situation and apologize for any inconvenience.”

These attacks are unprecedented in their scale and affect anyone who relies on search engines to generate business, including retailers, says Alex Eckelberry, CEO of Sunbelt, which is based in Clearwater, FL. “These malware folks will push their rankings higher, thus pushing others down,” he says. “However, they are transient attacks--what we saw a couple of days ago is all gone.”

The attacks are more annoying for retailers than disruptive, says Mark Simon, vice president of industry relations at search marketing firm Didit. “The online retailers that have been advertising with paid links have seen virtually no affect from this,” Simon says. “The malware sites placed links that were above the highest ranked links to gain position, but they are in the process of being cleaned from the index of the major engines as we speak.”

New malicious sites have started turning up in search results in the last couple of days, since Google acted to block the first ones to appear, Thomas says. “The bad guys obviously picked up on it and they’re creating a whole bunch of new sites,” he says. Asked if such attacks are likely to recur, Thomas says, “I don’t expect them to stop any time soon, until Google and the other guys make it stop appearing in their results.”


Google, Human-computer interaction, Hypertext, Spyware, Yahoo!