back to article Search engine results increasingly poisoned with malicious links

Malware threats in search results are getting worse despite the best efforts of Google and other vendors. The number of infected results has been increasing year by year since 2013 despite the application of multiple tools and technologies designed to exclude dodgy links, according to a study by independent anti-virus testing …

  1. Cirdan
    Devil

    If I visited dodgy sites...

    ... or were overly concerned, I'd browse from a desktop computer with no permanent storage (other than BIOS) and booted from live BSD CD/DVD.

    That should do the job for the hardware.

    The trick then is that the wetware needs to be sure NOT to enter any personal data.

    Thoughts from the hot tub...

    ...Cirdan...

    (Icon as a placeholder for the BSD daemon)

    1. Anonymous Coward
      Anonymous Coward

      Re: If I visited dodgy sites...

      Then you find out that the malware is capable of infecting hardware, persisting across reboots, infecting other machines on your network AND escaping VMs to attack machines there. Then what?

      1. chivo243 Silver badge
        Mushroom

        Re: If I visited dodgy sites...

        pull the plug, nuke from orbit, for real!

        explosion icon just for effect!

      2. Doctor Syntax Silver badge

        Re: If I visited dodgy sites...

        "Then you find out that the malware is capable of infecting hardware, persisting across reboots, infecting other machines on your network AND escaping VMs to attack machines there."

        Do you?

        Citation needed. Citation should specifically address BSD as the live OS as that was specified by the OP.

      3. Palpy

        RE: malware capable of --

        -- attacking, say, VMs running in instances of read-only Linux which could compromise hardware would:

        1. Require the attackers to do a lot of time-consuming development on hypervisor attacks, Linux vulnerabilities, and low-level hardware coding,

        2. Result in access to a few tens of thousands of PCs worldwide.

        In other words, a lot of damned dev work for a truly tiny return on investment.

        IMHO, security is never about absolutes. It's about the odds. Don't bet money when you draw to an inside straight and don't walk through Hyde Park after midnight carrying a manpurse of cash, because the odds won't ride with you. Do browse using VMs and Linux, because the odds are that very few if any attacks are being written to exploit those combinations of platforms.

        Just my own malformed opinion, of course.

        1. Charles 9 Silver badge

          Re: RE: malware capable of --

          "1. Require the attackers to do a lot of time-consuming development on hypervisor attacks, Linux vulnerabilities, and low-level hardware coding,

          2. Result in access to a few tens of thousands of PCs worldwide."

          1. Only need to do it ONCE. Then anyone else can copycat. Perhaps state-level hackware can be copied.

          2. High-value targets. If they're behind this much lock and key, they're likely to have secrets.

    2. Pen-y-gors Silver badge

      Re: If I visited dodgy sites...

      The impression I get is that it's not a problem of dodgy sites. All sorts of 'respectable' sites seem to get hit, often either through malware 3rd party ads (Marks and Sparks?), or hacking of Wordpress (and other) sites (Jamie Oliver?).

      At least one report has suggested that 'dodgy' (read 'smutty') sites are often actually safer - they have a serious vested interest in keeping you happy so you'll come back and give them more money.

      1. Hans Neeson-Bumpsadese Silver badge

        Re: If I visited dodgy sites...

        At least one report has suggested that 'dodgy' (read 'smutty') sites are often actually safer - they have a serious vested interest in keeping you happy so you'll come back and give them more money.

        Sites where the customer comes first

        1. Anonymous Coward
          Joke

          Re: If I visited dodgy sites...

          rated 10/10 for customer satisfaction

    3. tr1ck5t3r

      Re: If I visited dodgy sites...

      Considering how easy it is to spin up a website nowadays, and considering this TED talk warning people of their filter bubble from March 2011 https://www.ted.com/talks/eli_pariser_beware_online_filter_bubbles and considering the level of surveillance there is when you combine the advert tracking which deliver viruses & other malicious software often zero day types, you really dont know what are dodgy sites now a days.

      Some of the things I've caught is the TalkTalk tv box trying to access windows 7 desktop, and sites like DailyMail.co.uk & Akamai networks being blocked by Snort for the data they have been delivering. If it wasnt for the vlans & firewall setup I've had at home I wouldnt have caught this stuff. Attacking home devices to gain access to work networks is a valid attack vector especially if you provide support to other companies is not beyond the realms of possibility.

      Even running from a Linux live CD, I recently heard a laptop emitting a funny noise similar to the old dialup modem handshake which wouldnt have been picked up in a room with normal noise levels, but would have been picked up by microphones in nearby devices.

      In fact one hack I discovered last night, appears to target CD roms, causing it to not read from genuine media but does boot from fake media printed to look like Dell Windows CD's. The fake Dell CD's will install on any non Dell computer, the genuine Dell media will not install on non-Dell devices. If you do a diagnostic on the Dell optical drive it throws an errorcode 0152 incorrect status 1A Error Registration 0020h but only when you run diagnostics on the device. Thats your only clue.

      Bottom line is, you cant trust any of your tech and unless you log everything and have disposable servers handling your encrypted internet traffic for things like email servers or serving webpages, and then pull that back to your internal main servers unencrypted whilst logging it and acket inspect it, you have zero chance of spotting some hacks considering the resources some entities have.

      1. Captain Badmouth

        Re: If I visited dodgy sites...

        "The fake Dell CD's will install on any non Dell computer" ... etc.

        Got a link to this hack news?

  2. nuked
    Holmes

    "81 million websites turned up 29,632 infected web pages"

    Didn't look hard enough.

    1. Sir Awesome

      Re: "81 million websites turned up 29,632 infected web pages"

      I agree - I'm in IT support, and part of my work is having to assume remote control of computers. Direct them to logmein123.com, they fail half the time (all users are not created equally) and end up on malicious sites, most of the time found in Google's own search results, and I've even had a user get two separate dodgy infections in the course of me trying to direct them to the correct website.

      There is so much more that could be done but I suspect Google enjoys the ad revenue.

    2. Anonymous Coward
      Anonymous Coward

      Re: "81 million websites turned up 29,632 infected web pages"

      Or just lied about looking.

      or...

      Just lied.

  3. brotherelf
    Coat

    "looking at location or IP"

    I would be fully unsurprised if Browser-producing Seach-Engine-Owning companies were to announce they want to use users' internet connections to crawl pages every now and then, to prevent just that. Democrasearch 2.0 (TM), too bad it's too late to hype this with "peer-to-peer", we need to involve the blockchain somehow.

    1. Charles 9 Silver badge

      Re: "looking at location or IP"

      Both peer-to-peer and blockchain have data costs, and many users have low data caps, meaning they'll end paying more for less. That's why I had to give up on freenet and bitcoin.

  4. heyrick Silver badge

    It's as if they don't care any more

    A site directed me to something via an AdFly link. Avast! freaked out and caught two attempts to push malware at me. I had granted AdFly script permissions as it doesn't work otherwise. Great. I will run the next attempt with web console open, see if I can figure out how to get at the link directly.

    Cue an article by Andrew on advertisers pissing and moaning about how nobody likes them...

  5. well meaning but ultimately self defeating

    1337 alerts?

    Seriously folks - are you extracting the urea?

    On a more relevant note - how many times as many web pages are there in 2016 vs 2013?

    1. Anonymous Coward
      Anonymous Coward

      Re: 1337 alerts?

      haha. I noticed that too. $CR1P+ K1DD13Z R3J01C3!!!

      > how many times as many web pages are there in 2016 vs 2013?

      A) define "web pages" - URIs serving useless crap don't really count

      B) probably less; everyone's moving to apps, right? ;)

  6. Doctor Syntax Silver badge

    "It could be the ads on the website that have been flagged as suspicious by us and that changes every time you access the site," Morgenstern explained. "Or the website is delivering different content randomly or it does so by checking the user agent or location of the user.

    Having found a suspicious link they didn't test further?

    1. Charles 9 Silver badge

      I don't know if there's a way TO test it further without getting all expensive. The poisoned links are basically turning Turing Tests against us: only opening up when it detects an unguarded (not protected by something like a VM or honeypot) human coming to visit.

  7. ecofeco Silver badge

    SEO is a farce

    There is so much gaming on that we are back to having to go the second or third page of results to get what we're looking for.

  8. Duncan Macdonald Silver badge

    NoScript and AdBlock+

    NoScript and AdBlock+ are now essentials for sane use of the internet.

    I do not have Flash in any browser that I use - and as I cannot remove it from Edge I have blocked Edge (and IE and Cortana) from any internet access using the program control feature of Norton Firewall.

    If an ordinary site is unusable with Noscript or AdBlock+ then I remove it from the sites that I visit.

    1. Charles 9 Silver badge

      Re: NoScript and AdBlock+

      "If an ordinary site is unusable with Noscript or AdBlock+ then I remove it from the sites that I visit."

      And if it's the ONE AND ONLY source of something you need? Like your device company's website and the ONLY source for official drivers (it's hard to trust anyone else now since they can inject their copies)?

      1. Anonymous Coward
        Anonymous Coward

        Re: NoScript and AdBlock+

        uMatrix and uBlock Origin nowadays

        The former to block 3rd party content (not just scripts) on a site-by-site basis. The latter because ABP lets Google & pals pay them to be whitelisted.

      2. tr1ck5t3r

        Re: NoScript and AdBlock+

        They still report back to google at least the copies I have here do. Only by setting up your firewall to reject everything and then only allow access to domains of your choosing will you spot this.

  9. Walter Bishop Silver badge
    Linux

    Malware threats in search results are getting worse

    Should have done your browsing from a bootable Linux CD on Linux.

    1. Anonymous Coward
      Anonymous Coward

      Re: Malware threats in search results are getting worse

      Only to find out they're getting wise and attacking BIOS, EFI, and device firmwares which persist across reboots and different OS's.

  10. Aodhhan Bronze badge

    Pretty shotty reporting and research.

    Sure, you can say there are a lot of malicious links, but the study doesn't bring up whether or not they cut off research after the first 2 or 3 pages of links.

    I can do a search on some really simple things and come up with 10,000+ links. Obviously, I'm not going to look at this much, so lets use some granular techniques to bring this number down, and not use all 10,000. Which of course, will cause the number of malicious links on a search way down.

    Common sense, and proper research techniques please.

  11. Hargrove

    Tip of the iceberg

    Now project these problems to the IOT, Cloud Computing, and the amazingly large percentage of the IT community that believe the myth of unlimited bandwidth. It will not end well for anyone.

    The commenters alluding to hardware security measures are on the right track. My understanding is that strong security features still incorporated in microprocessors, but that for commercial profit they are not used. My gut feeling is that information technology, as currently used and being deployed simply cannot be practically secured.

    In simplistic terms, I can't secure things for things that I can't see and over which I have no control.

    Unfortunately, as the following example shows, securing them is my legal responsibility.

    Like a few hundred million or so people on the planet, I connect to the internet through a satellite ISP--that is, to say a metered, connection. (The fact that I had two systems connected through an Ethernet connection is a separate problem in its own right.)

    During the few days or so that Microsoft's Windows 10 Anniversary update and subsequent patches downloaded, we burned through 15 GBytes of data usage, resulting in restricted access and more than doubling our monthly bill.

    Here in italics is the response I got from the ISP.

    . . . it's the customers responsibility for having a secured network and with what the data is used on. We provide plenty of information on our website to help with tips, but when it comes down to it, it's up to the customer how the data is consumed.

    Me: Again, nonsense. When we selected the service and technologies we had the ability to do that.

    Me: Subsequent changes and updates have eliminated the users ability to manage their systems.

    Support Response: It's not nonsense. It's in your customer agreement that you have with [Company Name Deleted] I would suggest reading it at http://www.[deleted].com/legal

    I deleted the company name. In fairness, they shouldn't be singled out for what, as near as I can tell, is a universal practice in the IT sector--Coercing acceptance of unilateral Terms and Conditions that effectively appropriate egregious rights to use of their customers' intellectual property (information) while relieving the IT providers of all legal responsibility for anything.

    The problem is that bandwidth is NOT, wishful thinking to the contrary, unlimited. That's why, if you read the fine print, providers spec data transfer rates in terms of "up to" some limit. In the case of metered connections, the consequences of exceeding limits can be draconian, in dollar costs and in degraded or in some cases, suspended, connectivity.

    The user has to choose between maintaining real-time security and maintaining acceptable service at a reasonable cost. (My ISP does provide an unmetered period, if I am willing to stay up until midnight every night and change the settings on all my devices. I consider that personal cost unreasonable.)

    It is simply impossible to secure an internetworked system under these conditions. Promoting the pretext that it can is irresponsible and dangerous. Saddling the user with the responsibility may be legal, but it is morally reprehensible. The results are likely to be catastrophic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019