Hackers Find Clever New Way To Hose Google Users
By Dan Goodin
March 6, 2008 03:06 GMT

Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as ZDNet Asia and TorrentReactor. As a result, at least 20,000 Google search results that appeared to lead to pages on the Asian version of ZDNet and the BitTorrent tracker site actually directed end users to sites that attempted to install malware.

The hack, which was first documented by Dutch researcher Dancho Danchev, takes advantage of the practice by ZDNet Asia and many other sites of caching search queries typed into their search boxes. The terms are then indexed by Google and other search engines and included in the results they return. Exploiting the weakness is as easy as typing popular search terms into a popular website along with the text of an IFRAME that points to a malicious website.

Within time, the strings will be included in results returned by Google and others. Google goes to great lengths to protect users against by warning when a website included in search results is believed to be malicious. But at time of writing, queries on Google for "jamie presley," "mari misato" and "risa coda" got one or more poisoned link in the first 10 results. More than 20,000 Google results contained such redirects, according to F-Secure, the antivirus firm .

In the second half of 2007, 51 per cent of sites hosting malware were legitimate destinations that had been compromised, as opposed to sites specifically set up by criminals, according to security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised, although the criminals were clearly taking advantage of their strong page ranking and the trust that many end users have in them.

The Register
complete article