By Joel Hruska
December 24, 2008 - 01:55PM CT

URL redirect notifications are often meant to serve as security measures, but at least one malware blackhat is exploiting these services and redirecting site visitors from the website they think they are about to visit to a spyware-infested haven.

That's bad enough on its own, but the as-yet-unknown assailant has also used search engine optimizations to push the polluted redirectors higher in Google's search rankings. Part of the problem—a significant part—is that many companies/websites use open redirects that will cheerfully redirect incoming traffic to whatever URL they're asked to send it to, even if that traffic didn't originate within the host site.

When MySpace or Microsoft inform you that you're about to be redirected off their site, they don't perform any sort of check to see if that's a good place for you to be going. That lack of security is now turning out to be a problem. According to security researcher Gary Warner, an attacker can first seed infected links across a wide variety of blogs, guestbook entries, forum posts, and false stories.

Since the links reference prominent websites that already hold high Google ranks, the false posts themselves are more likely to be presented as initial results. The malware hook, in this case, is double-baited. By using a popular set of keywords (say, World of Warcraft) and attaching them to an IBM redirect, our spammer has built himself a nifty trap. If all goes well, misdirected search traffic begins to flow into whatever domain the blackhat has devoted to that purpose.