To get their links in front of victims who are likely to see and click on them, antivirus hoaxers need vectors, and they’ve used many: porn sites, online advertisements, search results, software traded on file-sharing sites, and links on Facebook and Twitter. Increasingly, malicious websites using these vectors are created daily or even hourly to keep ahead of efforts to block them and shut them down.
Infecting online advertising is quite simple: the bad guys buy ads and rig them with malicious code or links. According to the FTC, representatives of Innovative Marketing posed as representatives of real companies and organizations—including Travelocity, Priceline, and Oxfam International—and purchased advertisements supposedly on their behalf. Those online ads employed an ingenious variant on location-based targeting. They appeared legitimate when viewed from the IP addresses of the ad network’s employees, but viewers at other addresses were redirected to fraud sites. More recently, according to a report by the security company Websense, infected advertisements—placed by ad networks that had not thoroughly checked out the clients—have shown up on Gizmodo, TechCrunch, and the website of the New York Times.
But search engines might be the predominant vector now, says Stefan Savage, a computer scientist at the University of California, San Diego. The scam artists play a variety of search optimization tricks to fool the algorithms that Google, Bing, and other engines use to determine which Web links to show in response to search requests. Generally, a page on an infected site (such as Kiwiblitz.com) is quietly stuffed with trendy search terms and links to images. Then the malicious players interlink pages—hundreds or thousands of them—so that the search engines’ Web-crawling programs rank the infected page near the top for apparent popularity and relevance. Denis Sinegubko, a malware researcher in Russia, believes that criminals “have managed to hijack search results on the first pages of Google Image search for millions of keywords.” As a result, he estimates, people clicked on poisoned image-search results 15 million times a month this past spring. Google says it has since reduced the number of malicious links in image searches by 90 percent from peak levels, and a spokesman emphasized that it continues to plug holes in its algorithms to head off new methods of attack. Google says that 0.5 percent of searches bring back returns that include at least one known malicious website. This might sound low, but given that Google handles more than a billion searches daily, it means that five million search returns every day bear a malicious link.
When Google identifies a potentially malicious search result after reports by users or security companies, it flags it with warning messages. And if a site has “gamed” the search engine and should not have been delivered in the first place, Google will remove it from the search returns. Google also reveals its list of malicious sites to Internet security companies and Web browser companies, which can issue their own warnings if you try to type in the addresses. “Our response time has gone from weeks or days to hours and even minutes,” says Panayiotis Mavrommatis, a malware researcher at Google.
But the Web industry still hasn’t been able to keep up with the problem. Facebook, for example, blocks its users from accessing websites on Google’s blacklist and those identified internally and from other sources as malicious. Yet it and other social-networking sites, like Twitter, are still major vectors, in part because criminals set up bogus accounts or hack legitimate ones. Some 40 percent of Facebook status updates contain links; of those, 10 percent lead to spam or malicious websites, according to a November report by Websense. Mavrommatis, like other security researchers, admits that the challenge is a tall one. “With the rotation of domains, the URL-based filters become less powerful. And with content-based filters—again, encryption breaks them,” he says. “That is why it is so hard.”