NEWS FROM THE LAB - Monday, May 23, 2011

Using Google Web Search to Find Compromised Google Images Posted by Sean @ 15:00 GMT

Google Search has a problem.

For several weeks now, Google Image search results have been increasingly tainted by Search Engine Optimization (SEO) poisoning. Numerous sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.

Google's method of crawling for and ranking images is part of the problem.

This is an example of a poisoned link from Google Image results:

Google Image Search, imgurl, imgrefurl

Notice that imgurl and imgrefurl don't match. The image is "hotlinked". And even though the image is actually hosted on a server at enterupdate.com, Google will display the image preview and site information as though it's from the referring (compromised) site.

But then there are legitimate reasons for displaying the referring site as the "home" of the image. For example, our Safe and Savvy blog is powered by VIP WordPress.com, and its images are hosted on servers belonging to WordPress. If Google didn't consider the referring source of the image and ignored hotlinking (as Bing appears to), this search result wouldn't be very useful.

On the topic of WordPress, the poisoned image of actress Olivia Wilde, from the example above, is embedded in an html page located within a folder called wp-images. The compromised site is a WordPress.org blog.


Here's a selection of the olivia-wilde-twitter.html page:


As you can see, the text is complete gibberish. All of the page's hyperlinks connect to additional pages located on the same site, and all of the images are hotlinked and are loaded from external sources.

The html also includes a section focused on topics that have been more or less directly pulled from Google Trends.

All of this investigation brings us to a useful Google Web search that can be used to locate compromised sites. Searching for inurl:wp-images and a currently "trending topic" yields plenty of results that attempt an SEO attack.

Needless to say, we don't recommend such a search unless you're doing so from a research network. (And then you should also use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.)