Google, Bing open new criminal opportunities by adding Twitter, Facebook feeds

December 10th, 2009

The race between Google, Microsoft Bing and Yahoo Search to incorporate Facebook updates and Twitter microblog postings into search results — in near real-time — is likely to result in a bonanza for cybercriminals looking to take control of your PC.

A01 YAHOO MICROSOFTGoogle this week  announced that it, too, now has the capacity to inject up-to-the-minute Twitter feeds into search query results. Microsoft made a similar announcement on  21Oct2009, as  did Yahoo on 19Nov2009.

Each search service has now also forged partnerships with Facebook — and so the race is on to integrate fresh Facebook updates into their respective search query results, as well. The end game: win the loyalty of social network users — and reap revenue from advertisers desiring to reach those communities.

Heightened risk of infection

Yet no one has yet found a way to prevent cyber criminals from injecting malicious Web links into search results. Similarly, no one has been able to stop criminals from spreading bad Web links via Facebook messages and updates and Twitter Tweets.

So while charging ahead to swiftly blend social network feeds into search results may make sense on paper, the search services could be underplaying the risk of  exposing search users to a heightened risk of losing control of their PCs to cyber crooks.

michael-greene_90px2“This is just going to amplify the bad effects and make it that much easier for criminals to get their stuff to the top of the search results and infect more users,” says Michael Greene, Vie President of Product Strategy at PC Tools. “Speed tends to enhance guerrilla tactics. The bad guys are getting in, infecting you and getting out before anybody realizes what happened.”

For their part, the search companies say they are doing all they can, and contend there is nothing serious to worry about.

Larry Cornett, vice-president of consumer products at Yahoo, says the Twitter feeds Yahoo began integrating into its search service on 19Nov2008 are being cleansed. “You won’t see second-by-second updates because we have to go through the science of making sure (each Twitter feed) is relevant and not spammy.”

Google uses “automated and manual processes” to weed out malicious links and warns users when a website appears to be compromised, says spokesman Nate Tyler. “We will continue to improve and refine these systems,” says Tyler.

Sean Suchter, general manager of Microsoft’s Search Technology Center, Silicon Valley, adds: “With the proliferation of content on the web, we’re continuing to use a wide variety of tools to block malicious content for our customers on both web and social searches.”

Defenses subverted

Still, security researchers say the bad guys routinely subvert the defenses thrown up by the top search services and social networks. Corrupted Web links continue to appear pervasively on the top social networks and in Google search results. These malicious URLs are the starting point for turning your PC into a bot and aligning your compromised machine with several thousands others, forming a botnet.

Perhaps 40% of the 1 billion computers connected to the Internet are bots; botnets are the engines driving all major forms of cyber crime.

Cybercriminals direct botnets to spread spam, carry out phishing attacks, inundate the Web with scareware promotions, steal your sensitive data, hijack online financial accounts, launder stolen funds, and carry out denial of service attacks for extortion or to back political causes.

And now the bad guys  are using botnets to carry out so-called Black Hat SEO attacks against Google, Micosoft and Yahoo.  SEO — search engine optimization — is a set of techniques that have emerged to trick search engine  Web crawlers into boosting the ranking of a given Web page.

The SEO factor

This is how SEO works: Let’s say you wanted your personal blog home page to show up high in the rankings for queries for “tangerines.” First, you would make certain that your  Web page coding conforms to what the search engine crawlers are looking for. Second, you’d craft  any headlines to prominently and frequently mention tangerines.  Third, you’d visit other blogs and media sites that permit you to comment; you’d post polite comments and  include a link back to your home page. The search engine crawlers count such cross-links in their ranking algorithms;  more cross-links are better, and links from heavily-trafficked  sites are best of all.

blackhat_seo_results450pxLegit SEO and Black Hat SEO techniques are coming into wide use. Big Media sites are coding for SEO and training people to  SEO-friendly blog and news story headlines.  And there is  a thriving cottage industry of SEO specialists  who, for a fee, will execute a cross-link strategy to help companies boost their Web page  ranking  for certain queries.

Ideal fit for Black Hat SEO

Botnets fit into SEO like a well-manicured hand into a silk glove.  Black Hat SEOers have set up  thousands upon thousands of shell Web sites on botted PCs. Next, they use an automated program the continually inserts headlines with the hottest search queries of the hour onto the shell sites. Finally, they send cross-links from one site to the next, boosting rankings for this matrix of  shell sites higher.

Each shell site also carries an infection, so anyone who clicks on a link to a shell site proceeds down the path to becoming a bot, thus turning over control of his or her machine to the attacker.

sean-paul-correll_crop2In the last year, BlackHat SEO attackers have “reached a fever pitch,” PandaLabs researcher Sean-Paul Correl. Automated processes are being used to instantly adjust to whatever the hot search query is of the moment. Shell websites get updated with references to the hot topic, such as queries including the term “Afghanistan” or “Tiger Woods.”

“Every single trending topic tracked by Google is actively and effectively being targeted by cyber criminals in new BlackHat SEO attacks every day,” says Correl.

Meanwhile, other criminals focused on spreading bad links far and wide through popular social networks are proving to be equally pro-active and innovative.

roel-schouwenberg_edited-12Koobface has been evolving recently,” says Roel Schouwenberg, senior researcher at Kaspersky Lab. “The social engineering has become much more convincing than in the beginning. Simultaneously, Facebook has become a popular topic in malicious emails trying to install the Bredolab trojan. That could well point to that criminal group looking into expanding into Facebook. Twitter currently mostly seems to be attracting traditional spam, rather than malicious spam.”

As the search giants and top social networks blend their services and speed them up, more doors and windows will open for the bad guys, says Schowenberg. “I think our job just got a bit tougher. The means automation of Black Hat SEO gets a whole lot easier, and quite likely more effective.”

chester_wisniewski90pxSophos senior analyst Chet Wisniewski concurs. The search services new real-time integration of social network feeds “certainly will make it easier to expose users to fraud,” he says.

Wisniewski believes Web users in general remain too naïve about the rising risk that the next Web link they click on will be tainted. “The existing Black Hat techniques work so well partly because users mostly trust the benevolent Google to only provide them with legitimate results,” he says. And social network users “tend to ignore some clues that things might not be quite right. “–

–By Byron Acohido