Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

New Firefox Addon to Protect Against Malicious Spam SEO

July 30, 2010 - 4 min read

There are currently no ultimate solutions for end-users to protect themselves against fake AV pages, fake videos and other malicious spam SEO: antivirus have a low detection rate, denylist (such as Google Safe Browsing) lag behind the creation of new malicious domains.

In a previous post, I pointed out the vast majority of malicious spam SEO sites check the referrer string of the visitor. If this string does not include bing.com, yahoo.com or google.com, the user is not redirected to a malicious page.

We are releasing a Firefox add-on that uses this trick to protect Firefox users against most spam SEO threats, including fake AV and fake Video pages. This plugin works with Firefox 3.x. Click on the image below to install it. It is called "Search Engine Security".

Install Search Engine Security add-on for Firefox 3.x


Search Engine Security add-on installed

How it works

This Firefox add-on handles Bing, Yahoo and Google search engines, in all languages. Normally, if a user clicks on a link within search engine results, the HTTP request to the external site contains a Referrer string from the search engine within the HTTP header. For example, if a user searches for "this is a test" in Google, any request to a search result will include the following Referrer:




Referer: http://www.google.com?q=this+is+a+test&hl=en&safe=active

For these requests, the add-on changes the Referrer header to a different value. This means that the requested page does not know that a given request came from a Google, Yahoo or Bing search. This is critical as malicious SEO pages only deliver malicious content (fake AV, Flash/Java updates, codecs, etc.) when requests come from the SEO results. Changing the Referer header breaks the attack.

The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.






Install Search Engine Security add-on for Firefox 3.x



You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:







Search Engine Security preferences





Select the search engines for which you wish to enable protection.

- Use Referer header

Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.

- Modify User-Agent (NEW in 1.0.8)

Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.

This option provides additional protection against malicious spam SEO.


Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the allowlist. This will disable the add-on for this website.

If the URL matches any of the elements in the allowlist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the allowlist. For example, http://www.expert-exchange.com/ can be allowed by adding:


  • http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
  • expert-exchange.com/ (matches any subdomain)
  • expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
  • etc.

Notification (NEW in 1.0.4)

A notification is shown on Bing, Yahoo, and Google to let users know whether the SES protection is enabled for this search engine. The notification is shown under the search input.





Search Engine Security notification in Google search



Search Engine Security notification in Bing search


If you find any problem with this add-on, please let me know at [email protected].




Install Search Engine Security add-on for Firefox 3.x

-- Julien



form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.