Search Engine Poisoning - TraceSecurity

Security Assessment Risk Assessment IT Security Audit Penetration Testing Social Engineering Application Testing Wireless Assessment Security Training

Products

Regulatory Compliance Software – TraceCompliance Manager Risk Management Software – Trace Risk Manager IT Audit Management Software – Trace IT Audit Manager Compliance Monitoring Software – TraceComply Vulnerability Scanner – TraceAssess Policy Management Software – TracePolicy Training Software – TraceTrain Security Awareness Program Information Security Policy Development TSCM Implementation Program Security Compliance Tools

Secure Communications – TraceTunnel Multi-Factor Authentication – TraceAuthenticate

Industries

Credit Union Banking General Business / Retail Education Government Healthcare Electric Power

Resource / Media Center

In the News Events Webcasts Educational Articles Customer Successes Whitepapers Press Releases Video Testimonials Security Awareness Toolkit

Company

Overview Management Board Contact Us Partners Associations Careers Support

Overview

Benefits & Features

Demonstration

Search Engine Results Poisoned by Phony Listings

An Educational Article from TraceSecurity
Copyright 2010, TraceSecurity, Inc.

Submit a Syndication Request

Over a span of 18 months, TraceSecurity's Co-Founder and CTO, Jim Stickley, employed his talent for exploiting security flaws to show how easily search engine listings could be poisoned by malicious schemes. Working together, the Credit Union of Southern California allowed Stickley to mimic their website as part of the experiment.1

Ray Rounds, Senior VP of Information Services for the credit union, agreed to participate in the study. "We were interested to know if a search engine would actually index a false web domain and if so, how difficult would it be for that domain to rise significantly over time in the search rankings." Rounds says that while it is much easier to educate people about the hazards of clicking on links emailed from an unknown party, "it is difficult to teach them about the dangers involved with blindly trusting the search results will always be accurate."

The scope of the study involved mimicking the website of a real credit union on a "spoofed" domain to discover if search engines could be manipulated into linking to the fake website when someone performed a search for information about the real credit union. In addition to discovering the extent to which search engines could be manipulated by fraudulent websites, the credit union also wanted to find out if any of their visitors would be tricked into connecting to the fake site.

"Most people depend on search engines such as Google, Yahoo and Bing to guide them to the web sites they are looking for," said Stickley. "In this study we wanted to see if people would notice that our test domains were fake and not really part of the Credit Union of Southern California."

The shocking results of the study show that con artists can actually use a search engine's own indexing methods to rank fraudulent websites near the top of the search results, sometimes even outranking links to the legitimate site.

According to Stickley, its easier then you might think. "I have to admit that I was surprised how easy it was to set this up and the fact that we had so many hits from actual people is simply amazing. It's clear that people really do trust search engines implicitly."

Stickley has a lot of experience identifying and exploiting new vulnerabilities in security. Over the past 15 years Stickley has physically robbed over 1,000 financial institution locations. He has also hacked into many of the major online banking applications giving him access to millions of online user accounts and has been involved in thousands of security assessments and penetration tests for financial institutions. In addition, he has been responsible for finding major security flaws in security devices such as firewalls and PKI servers, has written a book about identity theft entitled "The Truth About Identity Theft", has traveled the world speaking on security related topics, continually educating the public about security risks through segments NBC's Today Show as well as other television programs.

Establishing His Domain

One of the first steps in the process of poisoning the search engines was to set up two domains that looked similar to the Credit Union of Southern California's actual domain name, CUSOCAL.ORG. The credit union registered CUOFSOCAL.ORG and CREDITUNIONOFSC.ORG and suppressed the contact and registration information from public view. The two fake URLs were then configured to both point to a web server hosted on the TraceSecurity network. Utilizing the same methods con artists use in real life, Stickley literally copied and pasted the code from the Credit Union of Southern California's website into the pages on his fake websites.

"Many companies don't realize how easy it is for someone with even minimal knowledge of web design to create a duplicate of their entire site, complete with images, text, videos…absolutely everything." explained Stickley. "The tools to do this are readily available to anyone with a web browser."

Using only basic web development software, Stickley recreated an exact copy of the credit union's website, or a "spoof" website, and uploaded it to the web server under his control. For the purposes of the experiment, it was necessary to make few minor changes to the code. These changes gave the fake site the ability to log the IP Address of the user connecting to the web page, the browsers type and any redirection information showing where the user had come from. Unlike an actual maliciously spoofed site, Stickley's page was designed so that all traffic was redirected on to the Credit Union of Southern California's actual domain once the basic data was collected. In fact, the entire experiment would be transparent to any unwary user. They would move along without even knowing that they'd been duped.

Controlling the Experiment

Crucial to the overall results of the study was to discover if a fraudulent website could be found, indexed and referenced by a search engine using only the engine's fundamental capabilities and procedures. Therefore, there was no direct communication (email, U.S. mail, phone calls) that contained any reference or link to the spoofed website. The only method used to propagate the existence of the fake site was through posting brief comments about the credit union, which included the name of the credit union and a link to Stickley's test site, at 30 public blogs and forums. In most cases the content of the submission that Stickley posted to the blogs or forums were not even relevant to that particular site. In theory, these simple posts would help trick the search engines into recognizing the legitimacy of the fraudulent site and prompt the search engine to increase its overall rank.

Once the links were posted to the various blogs and forums, the study relied on the search engines' inherent programming to take over and compile the necessary information about the fake website so it would begin to show up in the search results. This required that the search engines' spiders and bots had to first find and index the fake website, then find the external links posted to the various blogs and forums that point back to the site. This process helps establish a "good reputation" of the website, thus making it logical for the search engine to include a link to the fake website whenever someone searched for information on the real credit union. It is important to point out that the methods employed during this study are not only used by legitimate websites to boost page rankings, but are also common tactics promoted by each search engine's own documentation.

Manipulating the System

In most cases the content of the submission that Stickley posted to the blogs or forums were not even relevant to the to that site; the only goal of Stickley's submission was to get the credit union name and the URL of the fraudulent website included within the website so that it would be found by search engine spiders. Ultimately this would redirect the spider back to the fraudulent website which, in theory, would prompt the search engine to increase the overall rank of the fake site.

Example of a submission posted to a public blog

In order to recognize the test website as a valid domain, the spiders first had to crawl the main directory of the site and gather information from the META tags and other content in the base code of the pages. As stated earlier, the META tag data was modified - in a manner consistent with what a hacker would do - to make the fake site appear to be a legitimate site containing the same type of keywords and descriptions as the real credit union's website.

The spiders then had to find and index the external links posted to the various blogs and forums that pointed to the test website. Once those links were recognized and added to the search engine database it helped the fake website begin an electronic version of a "good reputation". As far as the search engine was concerned, the test website was not only valid, but even had existing sites with their own good reputations hosting a link to the site. Therefore, it was logical for the search engine to include a link to the fake website whenever someone searched for information on the real credit union.

Of course, the link to the fake website did not appear near the top of the list overnight. Search engines have their own unique methods to determine where a particular link ranks in the results, but key factors include reputation, age of the link and how relevant the site's META data is to the search query.

Alarming Results

Even with only a limited number of phony posts to random blogs and forums to help pass the fake website off as legitimate, the experiment worked the way Stickley thought it would. Not only did the search engines locate and index the fraudulent site soon after the experiment began, but it even ranked it right along legitimate links to the credit unions actual site. In many cases, the search listings actually ranked the phony link at or near the top of the search results!

Stickley says he was "truly surprised" when he saw that his phony website earned the second highest ranking on Yahoo Inc.'s search engine and "a bit concerned" when Microsoft Corp.'s Bing propelled the fake link into the #1 position, outranking even the Credit Union Southern California's real site. While Google's search engine did return a link to the fake site, it appeared 6 pages deep into the search results.

"Honestly, I didn't expect the phony link to appear so high in some of the search engine rankings," said Stickley. "But I was really shocked to see that the fake site generated over ten thousand hits from real people."

The results of the study, based on data collected from May 9th, 2008 through November 12, 2009, indicate that Yahoo was the first search engine to return a listing for the fake website, only 1 day into the experiment. Bing listed it 5 days later and Google acknowledged the link within its search results 30 days into the study.2

Information collected during the year and a half experiment show that 10,568 people connected to the fraudulent site through one of two common methods.3

7,769 people connected to the site by typing the URL into their browser manually. This indicates that the user had either guessed the domain or already learned the domain name from a previous visit. 2, 800 individuals connected by clicking a link listed in a search engine or other web page. Of that total, about half entered a unique search request (presumably for the credit union's real site) at a search engine and followed a link presented from that request.

When asked if any of his credit union's members ever alerted him about the fake website, Ray Rounds simply answered "no." Rounds went on to say that he was "concerned that nobody reported the fake site, because that indicates a general lack of awareness" on the part of the public.

Yahoo did not respond to a request for comment, and previous statements from Microsoft's Bing assured that is addressing the problems with fraudulent website listings. Jason Morrison, a Google search quality engineer said that as soon as his team notices these types of scam sites, the Google search engine will adapt. "But it's kind of like a game of Whac-A-Mole…we can't remove every single scam from the Internet. It's just impossible."
Stickley points out that these results should not be used as an indictment of the search engine companies' practices, rather as a tool to alert the general public and businesses alike of the major risks that exist.

"It is not realistic to expect search engines to eliminate these types of scams," Stickley commented. "There are a lot more bad guys designing new scams than there are good guys fighting them."

Conclusions

The joint experiment between the Credit Union Southern California and Jim Stickley is certainly bound to raise more than just eyebrows. It very well may raise an alert to the tens of thousands of businesses in cyberspace that do not currently protect their web reputation…especially credit unions.

Ray Rounds says the results have affirmed his credit union's commitment to not only protect their brand, but also protect where their brand shows up. He says the credit union will continue to educate their Members and staff about how to be safer when surfing the Internet.

Stickley recommends that financial institutions should purchase any URL that resembles their actual domain name to help prevent scammers from easily spoofing the site. Rounds agrees, sharing his view that "search results are simply a menu of choices all garnering for attention, and the link that looks most relevant or attractive to the user will usually get clicked." His advice is for financial institutions is to regularly search for their institutions name and any close derivative of the name to verify that all the search results point to the legitimate site. All major search companies offer online tools to report fraudulent sites.

Financial institutions should also notify members to not rely strictly on the search engine results to reach their website, but to try and verify the link is legitimate especially when clicking on a link listed on a public webpage other than a search engine.
"It's easy," explains Stickley. "Just roll your mouse over the link and you will see likely see the actual URL show up in the bottom left corner of your browser." Another step would be to compare that URL with the links returned by a quick search through a major search engine.

Both businesses and consumers can also protect themselves by looking up suspicious domains at www.whois.com, which details when a site was registered and by whom.

Submit a Syndication Request

1-It must be noted that this was a proof of concept study only. It was conducted with the help and permission of Credit Union of Southern California in an effort to gain critical data to be used for educational purposes. At no time was any real data at risk of compromise. The results of this study are intended to caution the general public about the pitfalls with search engines and enhance the security of all financial institutions and the people that use these institutions.

2-With the release of this study, most search engines have removed the test domains from their results. In addition, the fake domains have now been re-routed back to Credit Union of Southern California.

3-The results are based on human connections only. Any connections initiated to the test website by bots, web crawlers and spiders have been excluded from the data in an effort to provide accurate results based on real life interaction. The results are based on the date range of May 9th, 2009 through November 12th, 2009.