Google Image Search is one attack vector the malware writers are focussing their attentions right now. It’s the unseen threat (no pun intended :)) right now. Have you ever clicked on an image in Google search without checking whether the image/thumbnail was safe? Malicious images in search are using BlackHat SEO and PHP scripts to evade Google’s URL and image detection technology. Malicious image search propagation is a very real threat for endusers. I’ve been seeing some malicious activity regarding Google image search, and security analysts whom I know well, do support me on this finding.
Fake malware websites are popping up that host popular pictures i.e. photographs of famous people or people in the news. In addition to malicious websites, hackers are using code injection to redirect users when they click on an image, which then takes them to a website which then attempts to download and install a fake antivirus application (often referred to as rogueware or scareware).
Malware writers will develop advanced scripts that automatically monitor Google Trend Queries and create artificial web pages – this is the BlackHat SEO component. You can now see how the hackers generate webpages with artificial content. The webpages contain both text and images that are copied from other websites to maintain authenticity.
The hackers will target primarily legitimate websites. Once the source website has been exploited the PHP scripts are uploaded. The scripts are used to identify and locate the images via search engines i.e. Google. The malware writers would then create their scripts that look for Google bots which deliver a special page back containing automatically generated content. Google then parses the embedded links to images which then populates the image search database. Clever So, what is the real issue?
When you search Google images, thumbnails of images are displayed. A malicious image with embedded URL will appear in a certain position (normally high position) in search – anyone who knows BlackHat SEO will know what I’m talking about here. The exploit occurs when a user inadvertently clicks the image. Hover over the thumbnail and then click the thumbnail and the image will be shown on the center of the page (iframe/XSS exploits are a real problem here), with links to the original website on the right handside and the original thumbnail in the background.
Safe surfing folks!