Google is widely used by attackers to trick users into going to malicious sites. The attackers hack legitimate sites that rank high on popular searches. The hacked pages display good content to the Google crawlers but when users surf to the hacked pages, they receive malicious content, which redirects them to other harmful domains.
While some Google searches contain numerous malicious results, even on the first page, Google seems to be attempting to address this issue. While analyzing the results for “google april fool”, I found several malicious results. I’ve investigated two - the 11th and 15th search results. The first link is to hxxp://consultenet.com/seriously/topeka-google-april-fools.html, while the second one is hxxp://sitnprettyphoto.com/werishmne/topeka-google-april-fools.html. Both links redirect to mysecure-safetypc.xorg.pl, a domain that displays fake antivirus pages to trick users in downloading and installing malware disguised as antiviruses.
A known bad site to Google
Google maintains a public list of malicious site, known as Google SafeBrowsing. You can look at the status of any domain by going to http://www.google.com/safebrowsing/diagnostic?site=<domain>
. Within a few seconds of spotting these 2 malicious links, consultenet.com
was not showing up anymore in the top 100 results.. The Google diagnostic page
flagged the domain as having been involved in distributing malware.
Google Diagnostic for consultenet.com
Note that Google says “this site is not listed as malicious”, but that it is used to distribute malware. Indeed, consultenet.com does not host any malware, but it used to redirect the users to a different domain that host the malicious content.
How does Google use this information? A search for “site:consultenet.com” yields 403 results. By looking at the URLs, it is easy to spot the bad pages. One of them is hxxp://consultenet.com/seriously/didi.html. If you access this page from Google using the same search terms, you get the harmless page which Google used to rank the content. The hacked page looks at the Referer header to check where the user is coming from. Not only does the user has to come from Google, but it also needs to have done a “normal” search. This is an attempt to fool both Google and security tools into marking these pages as good.
Yes, all the fake pages are as ugly as this one! But this is the content that matters to Google.
I extracted 3 words from the page, and ran the following Google search: “didi index indicator
”. Sure enough, the malicious page shows on the first result page as the 5th result.
Don’t click on link #5
If you follow the link, you get redirected to the following fake antivirus page on xorg.pl.
Fake antivirus page
An unknown hacked site
Google did not, at the time this blog was published, flag the second domain, sitnprettyphoto.com
Domain is safe according to Google
It may not take long for Google to flag this domain. Since I don’t know when the website was hacked, I’m not able to measure Google’s response time to scan and flag it correctly.
What is Google doing with its data?
While it is not surprising that Google does not flag all hacked websites immediately, it is very concerning that they keep bad websites in their index. They know consultenet.com is used to spread malware, yet they still display dangerous links to this domain in their search results! Protecting users should be their number one priority. I personally, would prefer that they erroneously blacklist some websites temporarily, rather than keeping known bad websites in their search results - even showing them in the top 10 results!