Siphoned Google traffic used to install badware

Posted by joy

A few months ago I wrote up a post about how I found some very shifty results on Google search engine result pages. At the time, I found some pages that were essentially mockups of Google SERPs. These pages were all on a .info TLD, had an iframe linking to a website called and had numerous of links at the bottom of each mocked up page linking to other mocked up .info pages. I couldn’t figure out why someone would go through all of that trouble.

Well, as it turns out, Didier Stevens found out why.

Didier examined Google SERPs on and found the Google mockup .info pages were infecting folks with spyware, adware, dialers and other badware. As of this writing, most virus scanners can’t find these infected files. Here’s video of the infection and cleanup.

Didier has also tried to determine the probability of seeing one of these drive by download sites on a Google search query, and the figure is roughly 1 out of 1000.

Of note, these mocked up sites are rife with misspelled words, so if you’re a chronic misspeller I dare say your chances would be higher.

[tags]SERPS, Google, search engines, traffic, spyware, adware, badware, viruses, trojan, dialers [/tags]

Leave a Reply