Zscaler Tools

Search Engine Security – Firefox Add-on

Add to Firefox
Click on the link above to install the plugin.

Version
1.2.1

Description

Blackhat Search Engine Optimization (SEO) is a growing problem that search engines are failing to combat. This Firefox add-on will prevent Blackhat SEO attacks by masking the source of requests to malicious pages, ensuring that the attacks are never delivered. Blocking SEO attacks before they ever reach the browser is critical as anti-virus engines typically have a very low detection rate for binaries used in the attacks.

The Problem

Attackers are abusing SEO in order to ensure that malicious websites are included within the top search results. They target popular search terms and given the resources at their disposal, the attackers are extremely effective injecting malicious results. The pages injected include malicious content that will target and infect PCs using a variety of techniques such as delivering fake antivirus, Flash/Java upgrades, codecs, etc. Unfortunately, search engines are having limited success in blocking such attacks and anti-virus vendors are failing at deploying signatures to detect the malicious binaries included in the attacks due to the rate at which they change.

Referer: http://www.google.com?q=this+is+a+test&hl=en&safe=active

For these requests, the add-on changes the Referrer header to a different value. This means that the requested page does not know that a given request came from a Google, Yahoo or Bing search. This is critical as Blackhat SEO pages only deliver malicious content (fake AV, Flash/Java updates, codecs, etc.) when requests come from the SEO results. Changing the Referer header, breaks the attack.

The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.

Configuration

You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:

Searching Preference

Protect

Select the search engines for which you wish to enable protection.

Use Referer header

Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.

User-Agent modification

Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.

This option provides additional protection against malicious spam SEO.

Whitelist

Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the whitelist. This will disable the add-on for this website.

If the URL matches any of the elements in the whitelist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the whitelist. For example, http://www.expert-exchange.com/ can be whitelisted by adding:

  • http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
  • expert-exchange.com/ (matches any subdomain)
  • expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
  • etc.

If you find any problem with this add-on, please let me know at jsobrier@zscaler.com

 

Ad Retargater