Recently Google has hit the headlines with concerns over privacy courtesy of Street View mapping, plus allegations of trademark infringements with the Android open source mobile phone OS. The latest headlines, though, look like returning to the heart of Google: the search engine.
Google SERPs malware manipulation has hit new heights with the discovery that a series of website compromises know collectively as Gumblar has now infected more than 1,500 sites. Gumblar is growing at an alarming rate, by some 80 percent in the last week alone which pretty much eclipses the growth rate of any previously known Google SERPs manipulation scheme within the same kind of time frame.
Gumblar can grow so rapidly because of a number of rather unique characteristics which, when combined, makes traditional detection methodologies ineffective to say the least. Essentially, whenever you visit a Gumblar compromised site you are at risk. That risk might be from being susceptible to seeing fake search engine results when you go on to use the Google search engine afterwards, which will then forcibly redirect you to an 'imposter site' which in turn could scrape your personal data, including credit card details and the like, leading to identity theft and other fraudulent activity. One such activity being the theft of FTP credentials which can lead to any site that you manage also falling victim to the Gumblar compromise in turn. Of course, it should be pointed out that the injection and redirection both occur locally rather than on Google search servers.
"Because of the complexity of the Gumblar compromises, detection via traditional methods, like signature detection and blacklisting, are ineffective" Mary Landesman, senior security researcher at ScanSafe which uncovered the growing problem told us, continuing "Gumblar’s sophistication and incredible growth rate should serve as a wake up call to the IT community."
Google woke up as quickly as it could, and immediately delisted all compromised sites upon discovery of this breach. Of course, cyber-criminals are pretty clever these days and responded just as quickly by replacing the suspect IP address with another IP address and so enabling compromised sites to be relisted once more.
"The cyber criminals responsible for Gumblar have learned to morph its features quickly" Landesman admits, adding "this, coupled with Gumblar’s other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we’ve seen."