Google-images poisoning stats

Jan Širmer 17 May 2011

Google-images poisoning stats

I think most of you have probably heard about Google-images poisoning, but what is it?

When a user performs a Google Image search, images from an attacker’s page can be shown at a certain position in the results page. The exploit happens when a user clicks on the image. Google displays an iframe to a legitimate site. The browser will then send a request to the page running the attacker’s script. This script checks the referrer and, if it is Google, the script starts new JavaScript. This causes the browser to be redirected to another site that is serving a fake antivirus.

More thorough technical information about this attack could be found on the Unmask Parasites blog or the ISC site. In this blog, we only tried to focus on the data from the avast! Community IQ database to show how big this attack was, and to look at how many domains are still infected -- with their admins either unknowing or not paying much attention to their websites.

The first poisoning url we blocked 8 March, 2011. The first day, we counted only 4 infected domains. Until now, we've received reports from 11,039 infected domains visited by avast! users. The following graph shows how the number of affected domains reported to our systems have grown.

Currently, we are tracking 8 sites used for this poisoning. This graph shows traffic on these blocked sites. The steep slope at the end of the graph is most probably caused by the blocking of the sites in the Google Safe Browsing.

We've tried to verify how many of the referring domains still carry the 'infected' iframe/img tag, and it's 3,609 -- or, in other words, almost a third of them!

Although visiting these sites is not a direct threat to the user (they're only poisoned baits for Google crawlers), this still illustrates the fact that the bad guys have access to many 'legitimate' sites and are able to do anything with them. No 'common sense' approach can help you to decide if you're visiting a clean page or one that's been hacked.

Related articles

--> -->