Do you have a search site? Submit it free to the internet's best search industry directory. » Click Here Search Engines Google, Yahoo, MSN... Search Marketing Marketing, Budget, Planning... Pay Per Click Bid, Price, Quality... SEO Companies Optimization, Manage, Company... SEO Tools Track, Search, Create... Analytics Statistics, Counter... » Submit your site for FREE « More... Get Your Site Submitted for Free in the World's Largest B2B Directory! Email Address: * URL: * *Indicates Mandatory Field Terms & Conditions Titan Quest Forum Nintendo Wii Graphics Forum Halo 3 Forum Mac Software

Google Improvements Fail To Halt Massive Malware Attack

...to the bad sites over a period of months in some cases, enabling those sites to achieve fair rankings in search engine result pages for a great many potential keyword search combinations. The pages either contained iframes which attempted to load malware onto visitors machines or perhaps they began redirecting to the sites containing malware at some point after achieving rankings. Sunbelt provided interesting screenshots of the SERPs in Google:

(click to enlarge)

And also showed some screenshots of some of the keyword-stuffed pages which apparently got indexed:

(click to enlarge)

I think its not at all a coincidence that the attack was timed to occur right on the first weekend of the holiday shopping season and Cyber Monday when more people are likely conducting keyword searches than any other time of year. Deploying the malware now was likely intended to infect as many computers as possible before the malware was detected and the sites deleted from listings.

The methods these unethical developers used are pretty classic black-hat tactics. For many years now, blackhat optimizers have used automated agents to insert keyworded textlinks into blog and forum comment areas and online guestbooks, pointing back to their sites in an effort to built PageRank. In addition, really old and crusty black hat techniques include keyword stuffing " adding tons of keywords on a page in an effort to make the page relevant for words and phrases. Also, the bait-and-switch technique of allowing one page to get indexed by search engines while redirecting human users to a different URL is pretty well known.

In recent months, Google has apparently been working particularly industriously to penalize more sites that may be buying/selling links or which may be involved in various linking schemes. So much so, that theres been considerable talk about how some of the affected sites mayve been unfairly red-flagged by bad assumptions made by their algorithmic policing software. So, its disappointing that a network of egregious malware sites were able to effectively employ legacy black-hat tactics which ought tove been detectable earlier.

It feels a bit like having the police devote all their time to writing minor speeding tickets while violent murders are happening!

Now, to be fair, any site which appears on the level could suddenly start redirecting to a bad location, and thered naturally be a period of time before the search engine bots re-spider the page and realize that theres malware on it. During that window of time between when it was first spidered while appearing alright and the time later when it starts launching evil, it could naturally continue to appear in the SERPs where innocent people could click on it and get infected. Also, the term combinations that Sunbelt cited were moderately arcane in some cases, so average users might notve been impacted by any significant numbers. It could also be that Sunbelt might well be hyping-up the issue in order to get attention for themselves, so you have to consider their assessment as possibly non-objective.

Even so, just the fact that this rather pedestrian combination of black-hat tactics could be used to effectively poison search results with malware listings is significant and disturbing.

Why wasnt the comment spam detected early on? One assumes that the slow accretion of links over months may notve set off alarms, or perhaps the comment text added was made to be cleverly relevant.

And, the spam-laden content of the pages looks blatantly unnatural to me " that shouldve also been detectable.

And how about perhaps being suspicious of gobbledy-gook domain names? And, domains ending in .CN? I know gobbledy-gook in of itself might be hard to detect (particularly considering all the gobbledy-gook that still slips past spam filters on email) and unclear in of itself if it represents a bad content site, but youd perhaps expect that one could tell whether the character strings contained patterns which match names/words by some percentage of fuzziness, and red-flag those that dont match more normal naming patterns " associate lower trust scores or quality scores with them.

Even sadder, some of the domain names involved were so new they shouldve easily been detectable and flagged as suspicious just on that basis alone. For instance, I just looked up registration info for one of the sites IDed by SunBelt, luewusxrijke.cn, and found that itd only been registered on November 24th! Why didnt registrar status provide enough distrust to sandbox these sites?

Del.icio.us

Digg

Reddit

Furl