There are currently no ultimate solutions for end-users to protect themselves against fake AV pages, fake videos and other malicious spam SEO: antivirus have a low detection rate, denylist (such as Google Safe Browsing) lag behind the creation of new malicious domains.
In a previous post, I pointed out the vast majority of malicious spam SEO sites check the referrer string of the visitor. If this string does not include bing.com, yahoo.com or google.com, the user is not redirected to a malicious page.
We are releasing a Firefox add-on that uses this trick to protect Firefox users against most spam SEO threats, including fake AV and fake Video pages. This plugin works with Firefox 3.x. Click on the image below to install it. It is called "Search Engine Security".
|Search Engine Security add-on installed|
How it works
This Firefox add-on handles Bing, Yahoo and Google search engines, in all languages. Normally, if a user clicks on a link within search engine results, the HTTP request to the external site contains a Referrer string from the search engine within the HTTP header. For example, if a user searches for "this is a test" in Google, any request to a search result will include the following Referrer:
For these requests, the add-on changes the Referrer header to a different value. This means that the requested page does not know that a given request came from a Google, Yahoo or Bing search. This is critical as malicious SEO pages only deliver malicious content (fake AV, Flash/Java updates, codecs, etc.) when requests come from the SEO results. Changing the Referer header breaks the attack.
The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.
You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:
|Search Engine Security preferences|
Select the search engines for which you wish to enable protection.
- Use Referer header
Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.
- Modify User-Agent (NEW in 1.0.8)
Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.
This option provides additional protection against malicious spam SEO.
Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the allowlist. This will disable the add-on for this website.
If the URL matches any of the elements in the allowlist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the allowlist. For example, http://www.expert-exchange.com/ can be allowed by adding:
- http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
- expert-exchange.com/ (matches any subdomain)
- expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
Notification (NEW in 1.0.4)
A notification is shown on Bing, Yahoo, and Google to let users know whether the SES protection is enabled for this search engine. The notification is shown under the search input.
|Search Engine Security notification in Google search|
|Search Engine Security notification in Bing search|
If you find any problem with this add-on, please let me know at [email protected].