Careful What You Search For

Search results and malicious websites

Among the many excuses I’ve heard from people who take computer security too lightly, or who brush off the likelihood of being targeted by Web attacks, are comments such as “I don’t search for anything bad,” or “I only visit sites I know.” I find this sort of attitude very frustrating, if not amusing, and I like coming across bits of information that I can use to educate these people. So, I was especially interested in the results of some related data analysis that I worked on for on the recently released Symantec Report on Attack Kits and Malicious Websites.

One of the metrics we use in the report examines Web search terms and the number of times the use of each search term resulted in a user visiting a malicious website. The range of search terms was unrestricted and consisted of both “good” and “bad”’ things—anything that any one might search the Web for, in other words. The top 100 terms were chosen for closer inspection based on the volume of malicious website hits associated with them.

Malicious websites by search term type

One of the resulting data points that came from the analysis was particularly interesting, although not surprising. Of the top 100 search terms, 74 were specific to legitimate domain names. That means that someone was searching for a legitimate website by name and ended up visiting a malicious website instead. How does that happen? One of the main ways is this: When Uncle Bob wants to visit some website, perhaps his favorite social network, he types the website name in the search bar rather than entering the full URL. Uncle Bob’s browser searches for the matching domain name and returns a list of results. Uncle Bob, absent-mindedly clicks on one of the results without verifying its integrity and ends up opening a malicious website.

This scenario may sound a bit contrived, but I think alternate scenarios are likely similar. Moreover, the numbers speak volumes: attackers are getting more hits on their malicious sites when targeting searches for reputable (i.e., good) websites than they are for targeting, say, less-than-savory sites, reinforcing just how important caution is when browsing the Web, even for people who think they’re practicing safe searching.

For a complete analysis of malicious websites by search term—as well discussion on other aspects attack kits and malicious sites—please download the Symantec Report on Attack Toolkits and Malicious Websites.