Spam links flying under Google flag
Internet security firm Trend Micro reports that spammers are using a simple trick to disguise links to websites infected with malicious software as harmless links to Google search results. They take advantage of the search engine automatically sending users to the highest ranked hit when they press "I'm feeling lucky". This type of attack can be highly successful because people generally trust links to the Google site as the search engine has such a good reputation.
You have to look quite closely to tell a regular search link in an e-mail such as http://www.google.com/search?q=%22your+search+terms%22 from an "I'm feeling lucky" link, which looks like this: http://www.google.com/search?btnI&q=%22your+search+terms%22. The first link points your browser to the hit list, as you would expect, but the second one sends you directly to an external website. The scarcely noticeable variable "btnI" causes the automatic redirect. Using an additional site: specifier can produce more reliable results.
In order to exploit this redirect, attackers first have to make sure that their website is the highest ranked entry in the Google hit list for a particular keyword. The easiest way to do that is to use a nonsense word, such as "heisefication". Initially, the redirect will lead to a Google site informing the user that there were no hits. But soon, the Google bot will include the attacker's website in the search engine's index, a process that may only take a few hours depending on how popular the site is. For instance, by the time you read these lines this unsuspicious Google link will probably also redirect you – quite possibly back to this harmless heise report.
By the time unsuspecting users notice that their click on such a specially crafted Google link did not take them to a list of search results as desired, it may already be too late – in the worst case, their computers may have already been infected with malicious code by means of a browser vulnerability. Phishers may also be able to take advantage of seemingly trustworthy Google links.
The trick not only works with Google's "I'm feeling lucky" function, but also with the redirect function that Firefox, among others, implements whenever users type an invalid internet address into the address line. In this case, the URL is called with the format http://www.google.com/search?sourceid=navclient&gfns=1&q=heisefication.
Google and application vendors are unlikely to react any time soon with any technical measures. Therefore users should continue to exercise caution when clicking on Google links in e-mails or web pages.