Tweet
Roger Thompson of Exploit Security Labs posted today about finding poisoned Google sponsored links that surreptitiously direct searchers through malicious sites that attempt to surreptitiously install malware on your PC.
According to Thompson, if you ran a Google search for "BetterBusinessBureau" from April 10 through about 11am EST this morning, you'd have stood a one in three chance of seeing a top sponsored link with green link text that read www.bbb.org - just like the real search result. If you clicked that sponsored link, you'd even end up at the regular BBB site as per normal.
But before you got to the bbb.org site, you'd invisibly pass through a malicious site that would try to exploit an Internet Explorer browser hole. The site wouldn't have shown up in your browser, and you wouldn't have had any way of knowing about the redirection ahead of time. Unlike with real search results, you don't see the destination URL if you pass your mouse over a Google sponsored link.
Our colleagues over at InfoWorld have some more background on this in a story called: Experts: Google Doesn't Police Advertisers.
You'd have had no idea that you passed through the poisoned site on your way to the BBB - or that if your PC lacked a critical security patch, the site would have surreptitiously downloaded malware onto your computer meant to steal banking credentials. (When Thompson e-mailed a sample to me, my antivirus identified it as Infostealer.Bancos and deleted it from my e-mail.)
I haven't yet heard back from Google to see if they can verify these attacks, but Thompson has screen shots with results from his LinkScanner browser add-on that appear to identify the malicious links.
When I talked with Thompson, he said the attacks attempted to hit an old, but still commonly attacked Windows MDAC vulnerability in Windows XP and Windows Server 2003. So if you were smart enough to keep your system patched you'd have been safe from these particular exploits.
But it looks like the framework is still in place for other Internet criminals to come along and pay for a similar sponsored link for other search results. It's not unusual to redirect through an advertising service site that records your passing for legit sponsored links, Thompson says. When I just checked, Ask.com also hides the URL for sponsored links, while Yahoo and MSN display what looks like redirection links at yahoo.com and msn.com.
Also, a subdirectory of the malicious redirection site used in the Google attacks still appears to host the MDAC exploit.
I'd love to hear from Google whether they screen purchasers of sponsored links or the redirection URLs they use. I hope so, since after this and the MySpace malicious banner ad fiasco from last year, online crooks now seem to happily use ads as an attack vector.
In the meantime, you can use XPL's Linkscanner and McAfee's SiteAdvisor, both available in free versions, to give you some advanced warning about dangerous search results.
Comment