Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 17th, 2011

Google-images poisoning stats

I think most of you have probably heard about Google-images poisoning, but what is it?

When a user performs a Google Image search, images from an attacker’s page can be shown at a certain position in the results page. The exploit happens when a user clicks on the image. Google displays an iframe to a legitimate site. The  browser will  then send a request to the page running the attacker’s script. This script checks the referrer and, if it is Google, the script starts new JavaScript. This causes the browser to be redirected to another site that is serving a fake antivirus.

More thorough technical  information about this attack could be found on the Unmask Parasites blog or the ISC site. In this blog, we only tried to focus on the data from the avast! Community IQ database to show how big this attack was, and to look at how many domains are still infected — with their admins either unknowing or not paying much attention to their websites.

The first poisoning url we blocked 8 March, 2011. The first day, we counted only 4 infected domains. Until now, we’ve received reports from 11,039 infected domains visited by avast! users. The following graph shows how the number of affected domains reported to our systems have grown.

Currently, we are tracking 8 sites used for this poisoning. This graph shows traffic on these blocked sites. The steep slope at the end of the graph is most probably caused by the blocking of the sites in the Google Safe Browsing.

We’ve tried to verify how many of the referring domains still carry the ‘infected’ iframe/img tag, and it’s 3,609 — or, in other words, almost a third of them!

Although visiting these sites is not a direct threat to the user (they’re only poisoned baits for Google crawlers), this still illustrates the fact that the bad guys have access to many ‘legitimate’ sites and are able to do anything with them. No ‘common sense’ approach can help you to decide if you’re visiting a clean page or one that’s been hacked.

  1. May 18th, 2011 at 01:27 | #1

    I have avast internet security, am I safe from this Google-images poisoning stats?

  2. May 18th, 2011 at 10:58 | #2

    @Wayne
    Hello Wayne,
    yes, you are safe from google-images poisoning. Even google already block these sites. This artice only shows you some stats from our community IQ database.

  3. Tech
    May 20th, 2011 at 13:55 | #3

    Jan, nothing more sure than “No ‘common sense’ approach can help you to decide if you’re visiting a clean page or one that’s been hacked.”.
    Thanks for protecting us.

Comments are closed.