Last month I blogged about auto-generated content farms and the methods I have been using to shut them down. During the past month these spam sites have been busy spreading throughout the internet creating more garbage for me to sift through every time I try to search for something.
I’ve also seen a huge increase in content farms hot linking to images on my blog. I have continued to report the hacked sites to web hosts and many of them have been shut down, but its not enough to solve the problem.
I decided to do some research on the content farms and try to determine what exactly their purpose was. After a few searches I learned that I was not the only person to notice this growing problem.
I came across a recently posted blog entry by Russian malware researcher Denis Sinegubko. Denis has unraveled the entire scheme behind this problem and he goes into deep technical detail about how the exploit works.
I highly recommend reading through his blog entry for a full explanation of what this problem is all about and how it works.
It’s all about the money
Essentially the black hats have discovered a simple, yet very sophisticated method to fill the Google image search results with links to sites containing fake antivirus malware.
The fake AV software tricks unknowing users into buying the fake software.
Here is a very simplified walk through of the exploit
- Black hats use malware to steal FTP credentials for a web server
- A malicious php script is uploaded to the compromised server
- GoogleBot discovers the malicious script which generates keyword optimized content on the fly
- Using black hat SEO tricks the compromised sites end up in the Google image results
- Unsuspecting users click on the malicous Google image result which sends them to a fake AV site
Example of Malware in Google Images
After reading through Denis’s post I decided to do some testing on his findings. I found this particular example in my web server logs today.
In the screenshot below you can see what one of these pages looks like. Up top is a bunch of keyword spam the script generated from top Google searches. If you were to scroll down on the page you would see hundreds of images all hotlinked from other sites that relate to the keywords the page is targeting.
I took the first keyword phrase from the example page “pfsense ftp connection refused” and did a search on Google images for it. The first result which I’ve highlighted in red happens to link to one of the compromised web servers.
Below is what happens when you click on a compromised link. (I don’t recommend trying this) Instead of taking you to the image you wanted to see the malicious script redirects you to a page that tries to install malware on your PC.
As you can imagine by ranking in the top search results in Google Images for thousands of different keyword phrases these malware infested sites are getting a ton of traffic!
In his post Denis talks about some of his suggestions for resolving this issue. One of his suggestions is that Google should give preference to sites that host images instead of promoting sites with hot linked content.
I agree that Google needs to make some big changes on their part instead of promoting malware in their search results. In addition to changes on Google’s part I think that webmasters and hosts need to keep a closer eye on their web properties to make sure they are not becoming infected with malware.
Please do yourself and the internet a favor by scanning your workstations and servers for malware. If you have a web site you should check your server logs for activity that could indicate your site has been hacked.