BBC Home
Explore the BBC
BBC News
Launch consoleBBC NEWS CHANNEL
Last Updated: Thursday, 29 November 2007, 11:31 GMT
Hackers hijack web search results
By Mark Ward
Technology correspondent, BBC News website

Google logo, AP
The booby-trapped sites have been removed from Google's index

A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted.

The booby-trapped websites came up in search results for search terms such as "Christmas gifts" and "hospice".

Windows users falling for the trick risked having their machine hijacked and personal information plundered.

The criminals poisoned search results using thousands of domains set up to convince search index software they were serious sources of information.

Innocent victim

While computer security researchers have seen small-scale attempts to subvert search results before now, the sheer scale of this attack dwarfed all others.

"This was fairly epic," said Alex Eckelberry, head of Sunbelt Software - one of the firms that uncovered the attack.

Mr Eckelberry said tens of thousands of domains were used in the vanguard of the attack. Most domains were Chinese registered, hosted in the US and were only a couple of days old.

Websites loaded on these domains were booby-trapped with malicious software that looked for vulnerabilities in copies of Microsoft's Internet Explorer used to browse them.

This is not going to go away
Alex Eckelberry
"If your machine was not fully patched you were going to get hosed," said Mr Eckelberry.

The criminals who bought the domains convinced the indexing software used by Google, MSN and Yahoo they were good and popular sources of information, said Mr Eckelberry.

Although the results were indexed by Yahoo and MSN the webpages were coded to only show up if someone used Google.

They accomplished this using comment spam on blogs to push the pages up the search index rankings.

Sunbelt had discovered malicious sites connected with search terms such as "hospice", "cotton gin and its effect on slavery", "infinity" and many more.

"You could be searching for really innocuous things and get nailed," said Mr Eckelberry. "There was really nasty stuff in there."

"If there's any message from this I can scream from the rooftops its make sure you patch your machine," he said.

Security firm Trend Micro also discovered a series of booby-trapped sites aimed at Christmas gift shoppers and those looking for information about many other innocent subjects.

"Some of the top rated hits are leading to the malicious sites," said Raimund Genes, chief technology officer at Trend Micro.

Windows Vista badges, Getty
The criminals tried to catch out Windows users
Mr Genes said the booby-trapped websites discovered by Trend Micro tried to exploit several different vulnerabilities in Microsoft's web browser. The sites also attempted to stop the malicious software being spotted by intermittently scrambling the package before it downloads.

He speculated that the campaign was being waged by the Russian Business Network - a hi-tech criminal gang known to favour web-based attacks.

The booby-trapped websites were thought to be in operation for about 24 hours before Google began stripping them out of its search index. Some of the trapped websites are believed to be still turning up in searches carried out on Yahoo and MSN Live.

But, said Mr Eckelberry, this attack was likely to be a harbinger of many more.

"This is not going to go away," he said.

Google warns on 'unsafe' websites
07 Aug 06 |  Technology
PC stripper helps spam to spread
30 Oct 07 |  Technology
New bid to tackle spyware scourge
01 Feb 06 |  Technology
Bloggers battered by viral storm
31 Aug 07 |  Technology
Virus writers target web videos
31 Oct 06 |  Technology
FBI tries to fight zombie hordes
14 Jun 07 |  Technology
Google searches web's dark side
11 May 07 |  Technology
Malicious code rise driven by web
25 Apr 07 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific