Attackers booby-trap searches at top Web sites

Updated at 11:22 a.m. PDT Saturday to include a comment from Wal-Mart.

A million search queries have been "poisoned" at dozens of well-known Web sites over the past several weeks, according to security analyst Dancho Danchev.

Attackers are using programming errors to hijack keyword searches by automatically attaching malicious HTML code to specific search queries. Unwitting visitors who type in the selected key words while performing a search at the affected sites are then redirected to booby-trapped Web sites.

This is where the attackers attempt to install malware onto the victims' computers.

Among some of the Web sites that have been attacked are USAToday.com, Target.com, ABCNews.com, Walmart.com, and several sites owned by CNET Networks, the publisher of News.com. A CNET employee confirmed that the attack had occurred but did not know to what extent it had affected site visitors.

Representatives of CNET and USAToday could not be reached on Friday night. Wal-Mart spokeswoman Amy Colella on Saturday said the matter "has not impacted our site in any way," adding, "We take these matters very seriously at Walmart.com, and continuously use measures to protect our customers from any fraudulent online activity."

The attack differs from other IFrame injection attacks in that the traps are being set in the search results and not on a Web site's main pages, said Joris Evers, a spokesman for security firm McAfee.

"This means that a Web user would need to do a search query using one of the terms picked by the attacker to hit a poisoned page," Evers said. "This is in contrast to previously seen attacks where just visiting a site would launch an attack. This reduces the severity (of the most recent attack) somewhat."

Evers added that the Web is quickly becoming one of the most popular means to attack users. This is due in part to improvements made to e-mail security and filtering and also because Web vulnerabilities are a new frontier, he said.