It is not uncommon to find malicious links in 15% to 20% of the first 100 results returned by Google for any popular search term (according to Google trends). If Google doesn’t take the Blackhat SEO problem more seriously, the total number of malicious links is bound to increase and this may already be happening.
The top search on April 2nd was “tri energy”. I am not sure why it became so popular, but don’t google it: more than 90% of the first 100 links are malicious! Here is what I found for this search on April 4th:
- 86 links were sending users directly to a malicious, fake antivirus page that tries to install malware. This is the same issue, with the same domain name (xorg.pl) involved in most of the redirections that I detailed in a previous post.
- 4 malicious links were down or Google displayed a warning page
- The first 5 links on the first page of results were legitimate
One of the too few warnings from Google
Same search on Bing and Yahoo
For the same search, Bing did not show any malicious links. Yahoo! displayed 4 malicious links on pages 2, 6 and 7. At this point, I’m not sure if Bing and Yahoo! do a better job at cleaning up their search results, or if they are simply slower at picking up new pages.
8 hours later
I have re-scanned the Google results 8 hours later and things are a bit better. There are still only 10 legitimate links in the first 100 results, but Google displays a warning for 87 links. Only 3 malicious links redirect to a harmful site.
Google warns the users to not follow these links. Why do they even show them?
Not an exception
This number of malicious links may be extreme in this example, but the overall problem of attackers leveraging SEO optimization is not rare at all. For the same day, the #5 Google Trends search term, “epic google”, 50% of the first 100 links are malicious. For the #2 search term, “mendicant”, 38% of the links are malicious. It took 2 days to Google to start clean up the results, from April 2nd to April 5th in the morning.
I do not understand why Google decides to include malicious links in their search results. Depending on the user’s browser version, clicking on these links can be harmful to users, or display useless content. In both cases, users do not want to visit these sites.
-- Julien