James Delahunty
28 Nov 2011 7:03
Changes to Google policies deprives criminals of much-needed search information.
In order to protect people on possibly vulnerable networks, such as Wi-Fi hotspots, Google changed its policies to automatically turn on secure searching for logged in users. Using SSL, search queries could no longer be easily captured by other devices on the same network.
Another change made by Google that didn't get as much attention was the removal of search terms used to reach websites from the HTTP referrer header. This only applies if using secure search, while the information is still there when using the default unencrypted HTTP search.
This change means that legitimate websites could no longer see the search terms used to eventually find content on their websites. Typically, such information would be used by legitimate websites to create more targeted content, or to probe the ever-changing interests of its target audience.
It was also used, however, by cyber criminals to figure out which search terms to target with Black Hat SEO techniques. Typically, gangs of cybercriminals who are peddling malware will setup many routes to the same scam website. Those 'routes' exist as other webpages that you can find on search engines that link or redirect to a malicious website.
Mining the HTTP referrer data means that they could identify which search terms were used to send the majority of people to their scam sites. They could then use Black Hat SEO to manipulate Google search results and gain even more victims.
If you are logged in to a Google service, such as GMail, then when you use Google Search, you will notice it is automatically secure. Considering the number of people that use Google services, you would expect the declining loads of referral search term information would hit the cyber criminals quite badly too, as they have less information on what search keywords to target.
According to web security firms, that is exactly what is happening. "When these sites receive visits from search engine visitors, they will have no idea what search sent them there," David Sancho, a senior threat researcher at Trend Micro, writes.
"They won't have a clear idea which search terms work and which don't, so they are essentially in the dark. This can have a lot of impact on the effectiveness of their poisoning activities. This is, of course, good for Google as their search lists are cleaner but it's also good for all users because they'll be less likely to click on bad links from Google."