News Ticker

Searches for ‘iPad’ lead to malicous sites

by Larry Magid

Security companies are warning consumers and Web site operators to be wary of iPad-related search scams.

“This is just the kind of opportunity fraudsters like to exploit by poisoning search terms,” said Symantec’s Candid Wueest. Wueest also warned about “iPad-related spam and phishing attacks hitting consumers hard over the coming weeks.”

Don Debolt, CA’s director of threat research, warned about “black hat search optimization”–a scam whereby hackers take advantage of security flaws in blogs and other sites that use PHP scripting language to embed popular search terms like iPad to trick search engines into directing people to compromised legitimate sites that may have nothing to with the subject matter at hand. If people click on the link to a page on that infected site, they are then redirected to a malicious site that can implant malware on their machine or tempt them to install a rogue security product.

It has nothing to do with the iPad itself. Similar techniques have exploited other popular searches such as the Haitian earthquake and the death of Michael Jackson. Google has a trends page that shows hot topics and hot searches. On Thursday afternoon, the iPad was represented four times on the Top 10 list. “Obama State of the Union” led the list.

The entire process is automated, said Debolt. “We found that it’s a very systematic and programmatic process right now.” The attackers, he said, are using software to query search engines to find out the popular search topics and then “feeding that information into compromised Web sites so that those compromised sites and the content they put on those sites get indexed by the search engine bots.” To the end user it looks as if those sites have relevant content, but when you click on those pages, you are immediately taken to another site that has the malware.

Debolt warns people to be careful if a search engine points to a site where “the root domain of the URL doesn’t have any type of affiliation to the topic or is not an information portal you’re familiar with.” He warns site operators, especially those with a content management system that uses PHP, including Joomla, WordPress, and Droopa, to be sure they are using the latest version of their Web software.

I have a bit of experience with injected code. I operate a number of WordPress blogs including SafeKids.com which, a few years ago started serving up Google ads for Viagra and other male enhancement products. These were far from appropriate context-sensitive ads for an Internet safety site and when I took a look at my site’s code, I discovered that there were hundreds of links and terms that had been injected to my site as a result of a security flaw in my WordPress template. I replaced the template and updated the WordPress software and the problem went away. Now I’m careful to make sure I’m always running the latest version of WordPress.

As usual, people are cautioned to make sure they are using up-to-date security software and that both their operating system and browser are up to date.

This column originally appeared on CNET News.com

Leave a comment