Even search engines can get suckered by Internet scams.
With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.
Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in “phishing” e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.
Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc’s search engine and landed in the top slot on Microsoft Corp’s Bing, ahead of even the credit union’s real site.
Google Inc, which handles two-thirds of US search requests, didn’t fall into Stickley’s trap. His fake site never got higher than Google’s sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.
But even Google acknowledges it isn’t foolproof.
Some recession-driven scams have been slipping into Google’s search results, although that number is “very, very few,” said Jason Morrison, a Google search quality engineer.
“As soon as we notice anything like it, we’ll adapt, but it’s kind of like a game of Whac-A-Mole,” he said. “We can’t remove every single scam from the Internet. It’s just impossible.”
Stickley’s site wasn’t malicious, but easily could have been. In the year and a half it was up, the 10,568 visitors were automatically redirected to the real credit union, and likely never knew they had passed through a fraudulent site.
“When you’re using search engines, you’ve got to be diligent,” said Stickley, co-founder of TraceSecurity Inc. “You can’t trust that just because it’s No. 2 or No. 1 that it really is. A phone book is actually probably a safer bet than a search engine.”
Microsoft said in a statement that Stickley’s experiment showed that search results can be cluttered with junk, but the company insists Bing “is equipped to address” the problem. Stickley’s link no longer appears in Bing.
To fool users into thinking they were following the right link, Stickley established a domain (creditunionofsc.org) that sounded plausible. (The credit union’s real site is cusocal.org.) After that, Stickley’s site wasn’t designed with humans in mind; it was programmed to make the search engines believe they were scanning a legitimate site. Stickley said he pulled it off by having link after link inside the site to create the appearance of “depth,” even though those links only led to the same picture of the credit union’s front page.
The experiment convinced Credit Union of Southern California that it should protect itself by being more aggressive about buying domain names similar to its own. Domains generally cost a few hundred to a few thousand US dollars each — a pittance compared with a financial institution’s potential liability or loss of goodwill if its customers are ripped off by a fake site.
“The test was hugely successful,” said Ray Rounds, the credit union’s senior vice president of information services.
Stickley’s manipulation illuminates the dark side of so-called search engine optimization. It’s a legitimate tactic used by sites striving to boost their rankings — by designing them so search engines can capture information on them better.
But criminals can turn the tables to pump up fake sites.
“You can do this on a very, very broad scale and have a ton of success,” Stickley said. “This shows there’s a major, major risk out there.”
Robert Hansen, a Web security expert who wasn’t involved in Stickley’s research, said ranking high in search engine results gets easier as the topic gets more obscure. An extremely well-trafficked site such as Bank of America’s would always outrank a phony one, he notes.
Consumers can protect themselves from scam sites by looking up the domain at www.whois.com, which details when a site was registered and by whom. That can be helpful if the Web address of a phony site is similar to the real one.
CALL FOR SUPPORT: President William Lai called on lawmakers across party lines to ensure the livelihood of Taiwanese and that national security is protected President William Lai (賴清德) yesterday called for bipartisan support for Taiwan’s investment in self-defense capabilities at the christening and launch of two coast guard vessels at CSBC Corp, Taiwan’s (台灣國際造船) shipyard in Kaohsiung. The Taipei (台北) is the fourth and final ship of the Chiayi-class offshore patrol vessels, and the Siraya (西拉雅) is the Coast Guard Administration’s (CGA) first-ever ocean patrol vessel, the government said. The Taipei is the fourth and final ship of the Chiayi-class offshore patrol vessels with a displacement of about 4,000 tonnes, Lai said. This ship class was ordered as a result of former president Tsai Ing-wen’s (蔡英文) 2018
‘SECRETS’: While saying China would not attack during his presidency, Donald Trump declined to say how Washington would respond if Beijing were to take military action US President Donald Trump said that China would not take military action against Taiwan while he is president, as the Chinese leaders “know the consequences.” Trump made the statement during an interview on CBS’ 60 Minutes program that aired on Sunday, a few days after his meeting with Chinese President Xi Jinping (習近平) in South Korea. “He [Xi] has openly said, and his people have openly said at meetings, ‘we would never do anything while President Trump is president,’ because they know the consequences,” Trump said in the interview. However, he repeatedly declined to say exactly how Washington would respond in
WARFARE: All sectors of society should recognize, unite, and collectively resist and condemn Beijing’s cross-border suppression, MAC Minister Chiu Chui-cheng said The number of Taiwanese detained because of legal affairs by Chinese authorities has tripled this year, as Beijing intensified its intimidation and division of Taiwanese by combining lawfare and cognitive warfare, the Mainland Affairs Council (MAC) said yesterday. MAC Minister Chiu Chui-cheng (邱垂正) made the statement in response to questions by Democratic Progressive Party (DPP) Legislator Puma Shen (沈柏洋) about the government’s response to counter Chinese public opinion warfare, lawfare and psychological warfare. Shen said he is also being investigated by China for promoting “Taiwanese independence.” He was referring to a report published on Tuesday last week by China’s state-run Xinhua news agency,
‘NOT SUBORDINATE’: Only Taiwanese can decide the nation’s future, and people preserving their democratic way of life is not a provocation, President William Lai said Taiwan does not want China’s “one country, two systems,” and must uphold its freedom and democracy as well as resolve to defend itself, President William Lai (賴清德) said yesterday, rejecting Beijing’s latest bid to bring the country under Chinese control. The president made the remarks while attending a commissioning ceremony for Taiwan’s first battalion of M1A2T Abrams tanks in Hsinchu County’s Hukou Township (湖口). The tanks are made by General Dynamics, a major US defense contractor. China this week said it “absolutely will not” rule out using force over Taiwan, striking a much tougher tone than a series of articles in state media
RSS