Not what I wanted to see (Image: Andrea Schoenrock/Plainpicture)

Hijacking your Google image searches is just the latest ploy by fraudsters

ALL Pedro Bueno did was run a regular Google search for “iPhone with antenna” while trying to fix the Wi-Fi on his wife’s cellphone. Moments later he was yet another victim of “search engine poisoning” – the latest battleground in the ongoing war between cybercriminals and Google.

The Google results page offered Bueno several image hits as well as the regular results. “I decided to see one of the pictures and clicked on it. It then started to load and suddenly I was redirected to another page,” he wrote in a posting on the Internet Storm Center website, a volunteer group that monitors computer crime.


Claiming to be an antivirus program from the non-existent “Apple Security Center”, this web page displayed a list of files that were supposedly trojans, spyware and other malware hidden on his computer. In fact, he had been sent to a fake antivirus website. At this point, the user may be tricked into paying for unnecessary antivirus protection or a virus is downloaded onto the unwitting user’s computer. If you’re unlucky and unwary, both.

Search engine poisoning is booming. Internet security firm Trend Micro estimates that in May 2011, more than 113 million users were redirected to malicious pages due to search engine poisoning. Hijacking image searches rather than text-based web searches is the fraudsters’ latest twist on a popular scam.

“It’s an arms race,” says Christian Platzer of the cybersecurity lab at the Technical University of Vienna, Austria. Hackers write code to fool search engines into giving bogus results, and search-engine companies fight back by writing code to block their scams.

These scams are “pretty much automated” says Bojan Zdrnja, a computer security specialist in Croatia. It works like this: hackers gain access to legitimate websites and install programs which monitor Google Trends for hot keywords – words relating to any major news story, for example. The program then searches for content – including images – related to the hot topics and uses that material to automatically generate new web content of its own. Often they will hack a legitimate site that Google’s software bots rate as credible and simply add their own content. This is not normally visible on the site, nor does the owner know about it.

Hackers hijack a legitimate site that Google’s software bots rate as credible and add their own content

As Google’s bots crawl through the web, the malicious program identifies them and feeds them the automatically generated content from these faked web pages. Because everything on the page is specifically chosen to relate to that topic – be it Amy Winehouse’s death or the shootings in Norway – the fake web page and the “poisoned” image quickly appear near the top of the relevant search results.

Next the user clicks on the thumbnail of the photo they want and the user’s browser requests the page the image originated from. The attacker’s program redirects the user to a fake antivirus website – putting them at risk.

“Google has done a pretty good job with standard searches,” says Zdrnja, by detecting malware and warning users of potentially harmful pages. Blocking poisoned images from searches is the next challenge. A Google spokeswoman said: “We have cut down on the bad Image Search links by over 90 per cent since their peak at the start of May.”