A Royal Wedding Scam

Updated 18:50 EST with comment from Google.

The royal wedding came off without a hitch. Unfortunately, the same can’t be said about online searches for news and images related to the event. Google Image searches for “royal wedding coverage” yesterday—which Google said was the number one U.S. search term for a time—led users to a number of websites doling out malicious software.  

At one point, clicking one of the images under “royal wedding coverage” led users to a common scam—bogus warnings of a computer infection. The embedded video, produced by researchers at StopBadware, shows how a common search could trick  users into “purchasing” what is really a nonexistent security solution—and a related blog post provides a detailed analysis of how it all worked.

This particular scam has defied all industry efforts to defeat it in the past several years. While its main aim is to steal money and credit card numbers (the scammers, many of whom are based in Eastern Europe, have found it very profitable), it is often accompanied by less visible attacks that aim to do things like install password-stealing programs via security holes in the user’s computer.

When I clicked the image identified by the group—of Princess Diana—the security scam vomited across my screen, defying not only Google but the up-to-date ESET antivirus protection on Technology Review’s computers. (Indeed, StopBadware’s analysis today found that most security products could not detect this attack.)

This scam program surfaces in many contexts, including links spreading on social-networking sites and through advertisements. In these cases it is hosted on malicious websites (or hacked pages of legitimate websites) that users land on through the “poisoned” search results. Malware scammers often hack into legitimate websites and add a page full of “bait”—lists of terms that people might be searching for. Then they link that hacked page with hundreds or thousands of other hacked pages—or with new pages of their own creation. This strategy can sometimes fool search engines.

Have you been hit by this ubiquitous scam?  If so, please add to the comment string and briefly explain what happened. I may get in touch with you to find out more.

Google responded to a question about the royal search incident with this statement:  “Google can respond quickly to new threats like these because utilizing popular search terms and events to lure users into visiting malicious web pages is not new. We’ve looked at these issues closely and work hard to protect our users from malware. We actively work to detect and flag sites that serve malware, keeping on top of the latest trends and watching for popular search terms. To do this, we have manual and automated processes in place to enforce our policies. We’re always exploring new ways to identify and eliminate malicious sites from our index.”