Hackers Shanghai Google Warning

Google Shanghai Attack

Google’s index has been hacked, searching for certain keywords will bring up dozens of spoof sites that will infect your PC with malware or viruses. That’s the warning that comes from Dr Jenny Oliver of Olfaction Research Ltd who called today.

Dr Oliver is your fairly average surfer, searching recreationally last Sunday evening, she clicked on what seemed to be a legitimate result in the SERPs only to discover, once it was too late, that the website to which the result pointed was harboring malware and that this had attempted to infect her Mac.

“I can’t remember what I put in to search with,” she told me, “as I was idly surfing last night, my Mac was suddenly very busy for several seconds as if installing a program.” She rebooted very quickly after that, but her net connection seemed to have become ominously slow.

Spoof websites have been around for a while but searching for some very specific, high-ranking, key phrases, are now bringing up an inordinate number of site on the .cn top-level domain (TLD) in the last few days, some 80% of Dr Oliver’s results were spoofed pages. Adding “-site:.cn” or “-cn” didn’t totally eradicate the spoofs, perhaps because the hackers are somehow using a hidden Chinese character, that looks like a space before the period.

The issue has now been discussed in more detail here. Oliver, however, describes it as follows: “I just tried to find the three spoofs again on the first page, using the keywords I mentioned [we’re not listing them here, for obvious reasons, db] even with the proviso of -site:.cn added, they appeared at the top of the SERPs. “To get around the “-.cn” it seems the spoofers use a non-displaying Chinese character, which looks like “asasdfdsf. cn” in other words, it shows up as a blank space or two before the cn in the address.

The sites have genuine-looking titles, but appear to contain random lists of words and phrases and/or scraped content from US sites. The site addresses themselves are spoofed or bogus, so be wary of clicking them, especially if you don’t have full browser immunization (Spybot S&D for that), antispyware (Spybot and AdAware), antivirus (AVG), and a Firewall in place (router/hardware AND ZoneAlarm).

Joe on GoogleWatchdog also reports similar strange behavior. “It appears that the faked sites are redirecting the Googlebot to a location where content can be indexed, while at the same time recognizing normal users and redirecting them to a site that includes the malware mentioned earlier. This is an obvious violation of Google’s guidelines, but the spammers have found ways to circumvent the rule and hide it from the Googlebot,” he says.

The possibility of cyberterrorism that exploits this Google looooophole are very alarming. All users could be threatened by activity as well as ecommerce sites and others. Until now, phishing attempts have usually been made to extort money from gullible surfers, clicking on malicious web addresses in their emails. This new attack on google search seems to represent a major shift in scale from random emails to the activity of the biggest search engine.

The bottom line for users? Don’t panic, just don’t click on .cn sites you find via google.com, for the time being. If you need to search across China, use google.cn instead. Thankfully, Google is now on the case, according to Matt Cutts. Indeed, searching for Dr Oliver’s problem keywords gives me “normal” SERPs. “However, the danger remains – hackers would be likely to use a time when defenses are low, like ‘out-of-hours’, surfing at these times should obviously be approached with extra caution,” she says.

Author: David Bradley

Freelance science journalist, author of Deceived Wisdom. Photographer and musician.