Have you ever clicked on a Google image, only to be directed to a site warning you that your computer is at risk of infection and will be compromised if you don’t click on their brand spanking new antivirus software? Do you click or don’t you? Hopefully you don’t. This is the latest scam being perpetrated by malware manufacturers. They are using innocuous Google images—the ones that happen to be trending at the time—to get users to visit their sites.
The trick is so simple as to be ingenious. The malware creators follow Google Trends to see what images people are searching for, then create pages filled with text and images relating to all the top search terms, lifting many of the images from third-party sites, who are in no way involved with the scam. Then they wait. Inevitably Google will crawl the internet and index the pages in its search engine results, sometimes in less than 24 hours.
According to the SANS Internet Storm Center, once a user clicks on the bad link, the browser sends a request to the page, which causes it to run a script that checks the user’s referrer field. If the user is coming from Google, the browser is then redirected to the site with the fake antivirus information.
Simple and effective, one Russian malware researcher, Dens Sinegubko, called it. “the most efficient black hat trick ever.” That’s hardly reassuring if you are the one being scammed, But it’s certainly effective. Sinegubko claims that the number of visitors referred to fake antivirus sites each day could exceed half a million. Even if you’ve learned not to trust every Nigerian prince that emails you, chances are that you still trust Google to give you safe results.
Google says that it is making, “active efforts to improve both the quality of the results and malware detection,” but declined to state what these may be. That’s probably for the best. Tipping off the malware creators is like tipping off the Pakistanis that you think you’ve found bin Laden. Sure, they’d like to know, but …
Still, it’s hardly reassuring to hear that Google is aware of the problem and that, “we’re working on it.” Fortunately, Mozilla is also taking active measures to protect those using its Firefox browser. An add-on that they’ve developed marks sites known to contain malicious images by placing a conspicuous red frame around them. Sites that are hot-linked (linking directly to images on other sites) are similarly framed with a pink boundary, as if to say, “They may or may not be safe, so click at your own risk.”
It’s not perfect, but it’s a step in the right direction. And if you do happen to be directed to one of those sites despite all your precautions, the best thing you can do is get out of there fast. That means hit CTRL-ALT-DEL and restart your browser. Trying to click your way back to safety isn’t always the safest route to follow.
