Security Experts:

How Attackers Use Search Engines and How You Can Fight Back!

We’re seeing a fast-growing trend in the hacking community that, sadly, many aren’t noticing: search engines can be turned into tools for attackers in numerous ways. What can businesses do to fight back?

The Basics: Exploiting Hot Topics

Hackers Use Google as ToolTrending topics lay the attack foundation. By knowing what peaks the interest of the majority, hackers increase the pool of potential victims. Upon the first signal of headline breaking news, hackers urge users to click on links or download software that promises exclusive details. Eager users click on the links unaware they are entering attacker-controlled websites. With Google+ being a recent trending topic, Facebook users fell victim to scams promising invites to the new social network. Time is of essence when it comes to trends, as we saw this soon after Bin Laden’s death. One hacker, who advertised his malware for sale in hacker forums, wrote: “5/1/2011 – This is one of those rare opportunities that can build you a great list and a couple of zeros in your profit. Use it while the news of Bin Laden killed by US forces is hot”.

The Information-Digger’s Trove Chest: Google Hacking

It’s not just consumers that should be wary of hackers using search engines to drive their malware-- businesses should also be concerned. Hackers are using the search engines to find sensitive information unintentionally left on public servers. Google Hacking is a term coined by security expert Johnny Long, who first realized the potential of using search engines to dig up sensitive information. Although the name picks on Google, this attack pertains to all search engines. You can guarantee that today’s sophisticated search engines will index anything exposed to the Web, including that data which contains sensitive customer information, business plans or employee data. Time and again we hear how a company had to notify their customer base after some simple Jane alerted them her social security number came up via a Google search.

Fortunately, there are a few things companies can do to help protect themselves against Google hacking:

• Block requests susceptible to leakage – Blocking search engine’s request that contain a path known to contain sensitive files, such as non-public folder names (for example ‘/etc’).

• Block responses susceptible to leakage – Blocking responses to the search engine that hints at sensitive information such as patterns of credit card numbers.

• Detect sensitive data on the Web – periodically check Google to see whether sensitive information has leaked to the Internet. Although this will not prevent Google Hacking, this is a recommended step.

SQL Injection Meets the Search Engines

Google Hacking is not just used to uncover sensitive data. With fine-tuned queries, it can also be used to find applications vulnerable to different Web attacks, such as SQL Injection. With SQL Injection, hackers can compromise websites and have them deliver malware. Combine this type of attack with the power of Google Hacking, and you get SQL Injection 2.0 - hundreds of thousands of websites compromised within a day to serve malware. We’ve seen a spate of these kinds of SQL injection campaigns in the past couple of years, most recently in the headline-grabbing Lizamoon attack.

However, companies can help prevent this type of attack by:

Blocking SQL Injection attacks – this is a basic part of any proper Web application security control. Any request containing the footprint of a SQL Injection attack should be immediately blocked.

Blocking the attacker before the attack – Today’s SQL Injection attacks rely on automation whereas a number of notorious sources engage in the attack. When a request originates from such a source it should be immediately blocked. Another way to detect an automated attack is by checking the signature of the request for tell-tale attack campaign signs and blocking those that do. For example, the Lizamoon attack requests carried out a unique signature which allowed its identification.

Marketing Goes Awry: BlackHat Search Engine Optimization

Any marketing specialist will tell you that a high search ranking is a mandatory ingredient for success in today’s business world. They’ll discuss the internals and intricacies of Search Engine Optimization (SEO) – the set of techniques used by site operators to gain high rankings for their pages with respect to a selected set of search terms. Hackers have taken this one step further and have branded the term “BlackHat SEO”: abusing the search engines’ ranking algorithms in order to promote pages infected with malware or spam via the search engines. To begin with, the attacker -controlled server is usually a legitimate compromised site with a high ranking and good reputation. But, the hacker employs further techniques to achieve the high ranking. For example, by inserting keywords relating to the trending topic in the compromised site to further raise the site’s ranking. This was how Microsoft’s Safety and Security Center recently fell victim to this scheme. Other techniques include inserting links referencing the attacker’s sites in online forums and discussion groups. The attacker may even inject invisible cross-links between multiple popular compromised sites to raise ranking.

How can an organization avoid the Blackhat SEO scam?

Protect applications against code injection – A Web application security control should look out for attempts to inject nefarious code. Particular care should consider attacks such as SQL Injection, Remote File Include and Persistent Cross-Site Scripting.

Automation detection – A successful Blackhat SEO campaign requires a high degree of automation in order to generate thousands of links and cross-links over a multitude of compromised applications. As a result, mechanisms to detect abusive automation should be deployed.

Detect outgoing suspicious traffic – In order to identify that a Web application has been compromised, a mechanism should recognize whether outgoing Web application traffic contains links that are part of a recent Blackhat SEO campaign.

Hacking ToolsSearch Engine Poisoning – The Next SQL Injection 2.0?

With Search Engine Poisoning (SEP), the attackers manipulate search engines to display search results that contain references to malware-delivering websites. This technique differs from Blackhat SEO since it does not require the attacker to take over, or break into any of the servers involved in the scheme. This is how it works: As a first step, the attacker sets up the server that delivers malware. In the second step, it uses Google Hacking to search for high-ranking Web applications vulnerable to Cross-Site Scripting (XSS). In the third step, the hacker modifies the URLs to include the XSS code as well as keywords relating to trending topics. Finally, the hacker posts these newly crafted URLs to hundreds of Web forums and discussion groups. The attack layout is completed when the search engine indexes these newly crafted URLs. Coupled with the popularity of the infected websites, these URLs achieve a high ranking as they are associated with the popular keywords. When a victim searches for the popular search term, the URL for the legitimate website is returned. However, clicking on it will automatically redirect the user to the attacker-controlled site due to the injected XSS code.

Part in a Cybercrime Series - Read Noa's Other Featured Columns Here

This type of attack is on the rise. BlueCoat’s 2011 Mid-Year Security Report reports that SEP is the number one Web threat delivering method. While at my employer’s lab we witnessed such SEP campaigns in the wild.

How does an organization prevent itself from becoming the mediator between the search engine and the attacker’s malicious site?

Prevent against Cross-Site Scripting (XSS) – Put simply, most SEP campaigns rely on redirecting users through XSS code. Blocking XSS attacks will prevent these sites from playing a role in the hacker’s grander scheme.

Next Column

While hackers are using search engines as a conduit for their attacks, I am going to use search engines to navigate my way to Blackhat on August 3rd. With this being a large security conference, should casinos be worried? Stay tuned as I discuss what the latest cyber-threats facing casinos!

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.