Web searches for iPad leading to malicious sites

Security companies are warning people to be careful about scams involving e-mail or Web search for the Apple iPad or any other popular topic.

Larry Magid
Larry Magid is a technology journalist and an Internet safety advocate. He's been writing and speaking about Internet safety since he wrote Internet safety guide "Child Safety on the Information Highway" in 1994. He is co-director of ConnectSafely.org, founder of SafeKids.com and SafeTeens.com, and a board member of the National Center for Missing & Exploited Children. Larry's technology analysis and commentary can be heard on CBS News and CBS affiliates, and read on CBSNews.com. He also writes a personal-tech column for the San Jose Mercury News. You can e-mail Larry.
Larry Magid
3 min read

Security companies are warning consumers and Web site operators to be wary of iPad related search scams.

"This is just the kind of opportunity fraudsters like to exploit by poisoning search terms," said Symantec's Candid Wueest. Wueest also warned about "iPad-related spam and phishing attacks hitting consumers hard over the coming weeks."

In an interview, Don Debolt, CA's director of threat research, warned about "black hat search optimization"--a scam whereby hackers take advantage of security flaws in blogs and other sites that use PHP to imbed popular search terms like iPad to trick search engines into directing people to compromised legitimate sites that may have nothing to with the subject matter at hand. If someone clicks on the link to a page on that infected site they are then redirected to a malicious site which can implant malware on their machine or tempt them to install a rogue security product.

Google Trends displays popular searches Google

It has nothing to do with the iPad itself. Similar techniques have exploited other popular searches such as the Haitian earthquake and the death of Michael Jackson. Google has a trends page that shows hot topics and hot searches. On Thursday afternoon the iPad was represented four times on the top-10 list. "Obama State of the Union" led the list.

The entire process is automated, said Debolt. "We found that it's a very systematic and programmatic process right now," Debolt said. The attackers, he said, are using software to query search engines to find out the popular search topics and then "feeding that information into compromised web sites so that those compromised sites and the content they put on those sites get indexed by the search engine bots." To the end user it looks as if those sites have relevant content but when you click on those pages, you are immediately taken to another site that has the malware.

Debolt warns people to be careful if a search engine points to a site where "the root domain of the URL doesn't have any type of affiliation of the topic or is not an information portal you're familiar with." He warns site operators, especially those with a content management system that uses PHP, including Joomla, WordPress and Droopa, to be sure they are using the latest version of their web software.

I have a bit of experience with injected code. I operate a number of WordPress blogs including SafeKids.com which, a few years ago started serving up Google ads for Viagra and other male enhancement products. These were far from appropriate context-sensitive ads for an Internet safety site and when I took a look at my site's code, I discovered that there were hundreds of links and terms that had been injected to my site as a result of a security flaw in my WordPress template. I replaced the template and updated the WordPress software and the problem went away. Now I'm careful to make sure I'm always running the latest version of WordPress.

As usual, people are cautioned to make sure they are using up-to-date security software and that both their operating system and browser are up-to-date.