If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence.
Google has, of course, noticed this and does its best to mark the offending links as such, but it still has trouble when it comes to cleaning up its image search results.
ISC's Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple.
For one, they attack and compromise a great variety of legitimate websites - usually those which use Wordpress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it.
Then, they introduce PHP scripts in the sites' source code. "These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content," he explains.
They also harvest other sites for images, and embed them into the site. When the scripts detect Google's crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database.
"The exploit happens when a user clicks on the thumbnail," says Zdrnja. "Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background."
Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware.
Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results.