Recently Google has hit the headlines with concerns over privacy courtesy of Street View mapping, plus allegations of trademark infringements with the Android open source mobile phone OS. The latest headlines, though, look like returning to the heart of Google: the search engine.

Google SERPs malware manipulation has hit new heights with the discovery that a series of website compromises know collectively as Gumblar has now infected more than 1,500 sites. Gumblar is growing at an alarming rate, by some 80 percent in the last week alone which pretty much eclipses the growth rate of any previously known Google SERPs manipulation scheme within the same kind of time frame.

Gumblar can grow so rapidly because of a number of rather unique characteristics which, when combined, makes traditional detection methodologies ineffective to say the least. Essentially, whenever you visit a Gumblar compromised site you are at risk. That risk might be from being susceptible to seeing fake search engine results when you go on to use the Google search engine afterwards, which will then forcibly redirect you to an 'imposter site' which in turn could scrape your personal data, including credit card details and the like, leading to identity theft and other fraudulent activity. One such activity being the theft of FTP credentials which can lead to any site that you manage also falling victim to the Gumblar compromise in turn. Of course, it should be pointed out that the injection and redirection both occur locally rather than on Google search servers.

"Because of the complexity of the Gumblar compromises, detection via traditional methods, like signature detection and blacklisting, are ineffective" Mary Landesman, senior security researcher at ScanSafe which uncovered the growing problem told us, continuing "Gumblar’s sophistication and incredible growth rate should serve as a wake up call to the IT community."

Google woke up as quickly as it could, and immediately delisted all compromised sites upon discovery of this breach. Of course, cyber-criminals are pretty clever these days and responded just as quickly by replacing the suspect IP address with another IP address and so enabling compromised sites to be relisted once more.

"The cyber criminals responsible for Gumblar have learned to morph its features quickly" Landesman admits, adding "this, coupled with Gumblar’s other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we’ve seen."

The cybercriminals are really smart. To avoid detection by Google, the cybercriminals have started modifying the robots.txt file to block the Googlebot from indexing the pages they've infected with malscripts.

We've been seeing this a lot in the past 2 days. It seems that most website owners don't know their sites have been tampered with until Google notifies them. So the cybercriminals think they can get a few more days on these sites before their malscripts are detected and someone notifies the website owner.

Pretty smart...