0

Recently Google has hit the headlines with concerns over privacy courtesy of Street View mapping, plus allegations of trademark infringements with the Android open source mobile phone OS. The latest headlines, though, look like returning to the heart of Google: the search engine.

Google SERPs malware manipulation has hit new heights with the discovery that a series of website compromises know collectively as Gumblar has now infected more than 1,500 sites. Gumblar is growing at an alarming rate, by some 80 percent in the last week alone which pretty much eclipses the growth rate of any previously known Google SERPs manipulation scheme within the same kind of time frame.

Gumblar can grow so rapidly because of a number of rather unique characteristics which, when combined, makes traditional detection methodologies ineffective to say the least. Essentially, whenever you visit a Gumblar compromised site you are at risk. That risk might be from being susceptible to seeing fake search engine results when you go on to use the Google search engine afterwards, which will then forcibly redirect you to an 'imposter site' which in turn could scrape your personal data, including credit card details and the like, leading to identity theft and other fraudulent activity. One such activity being the theft of FTP credentials which can lead to any site that you manage also falling victim to the Gumblar compromise in turn. Of course, it should be pointed out that the injection and redirection both occur locally rather than on Google search servers.

"Because of the complexity of the Gumblar compromises, detection via traditional methods, like signature detection and blacklisting, are ineffective" Mary Landesman, senior security researcher at ScanSafe which uncovered the growing problem told us, continuing "Gumblar’s sophistication and incredible growth rate should serve as a wake up call to the IT community."

Google woke up as quickly as it could, and immediately delisted all compromised sites upon discovery of this breach. Of course, cyber-criminals are pretty clever these days and responded just as quickly by replacing the suspect IP address with another IP address and so enabling compromised sites to be relisted once more.

"The cyber criminals responsible for Gumblar have learned to morph its features quickly" Landesman admits, adding "this, coupled with Gumblar’s other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we’ve seen."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
2
Views
8 Years
Discussion Span
Last Post by WeWatch
0

The cybercriminals are really smart. To avoid detection by Google, the cybercriminals have started modifying the robots.txt file to block the Googlebot from indexing the pages they've infected with malscripts.

We've been seeing this a lot in the past 2 days. It seems that most website owners don't know their sites have been tampered with until Google notifies them. So the cybercriminals think they can get a few more days on these sites before their malscripts are detected and someone notifies the website owner.

Pretty smart...

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.