Even search engines can get suckered by Internet scams.
With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.
Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in “phishing” e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.
Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc’s search engine and landed in the top slot on Microsoft Corp’s Bing, ahead of even the credit union’s real site.
Google Inc, which handles two-thirds of US search requests, didn’t fall into Stickley’s trap. His fake site never got higher than Google’s sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.
But even Google acknowledges it isn’t foolproof.
Some recession-driven scams have been slipping into Google’s search results, although that number is “very, very few,” said Jason Morrison, a Google search quality engineer.
“As soon as we notice anything like it, we’ll adapt, but it’s kind of like a game of Whac-A-Mole,” he said. “We can’t remove every single scam from the Internet. It’s just impossible.”
Stickley’s site wasn’t malicious, but easily could have been. In the year and a half it was up, the 10,568 visitors were automatically redirected to the real credit union, and likely never knew they had passed through a fraudulent site.
“When you’re using search engines, you’ve got to be diligent,” said Stickley, co-founder of TraceSecurity Inc. “You can’t trust that just because it’s No. 2 or No. 1 that it really is. A phone book is actually probably a safer bet than a search engine.”
Microsoft said in a statement that Stickley’s experiment showed that search results can be cluttered with junk, but the company insists Bing “is equipped to address” the problem. Stickley’s link no longer appears in Bing.
To fool users into thinking they were following the right link, Stickley established a domain (creditunionofsc.org) that sounded plausible. (The credit union’s real site is cusocal.org.) After that, Stickley’s site wasn’t designed with humans in mind; it was programmed to make the search engines believe they were scanning a legitimate site. Stickley said he pulled it off by having link after link inside the site to create the appearance of “depth,” even though those links only led to the same picture of the credit union’s front page.
The experiment convinced Credit Union of Southern California that it should protect itself by being more aggressive about buying domain names similar to its own. Domains generally cost a few hundred to a few thousand US dollars each — a pittance compared with a financial institution’s potential liability or loss of goodwill if its customers are ripped off by a fake site.
“The test was hugely successful,” said Ray Rounds, the credit union’s senior vice president of information services.
Stickley’s manipulation illuminates the dark side of so-called search engine optimization. It’s a legitimate tactic used by sites striving to boost their rankings — by designing them so search engines can capture information on them better.
But criminals can turn the tables to pump up fake sites.
“You can do this on a very, very broad scale and have a ton of success,” Stickley said. “This shows there’s a major, major risk out there.”
Robert Hansen, a Web security expert who wasn’t involved in Stickley’s research, said ranking high in search engine results gets easier as the topic gets more obscure. An extremely well-trafficked site such as Bank of America’s would always outrank a phony one, he notes.
Consumers can protect themselves from scam sites by looking up the domain at www.whois.com, which details when a site was registered and by whom. That can be helpful if the Web address of a phony site is similar to the real one.
GAINING STEAM: The scheme initially failed to gather much attention, with only 188 cards issued in its first year, but gained popularity amid the COVID-19 pandemic Applications for the Employment Gold Card have increased in the past few years, with the card having been issued to a total of 13,191 people from 101 countries since its introduction in 2018, the National Development Council (NDC) said yesterday. Those who have received the card have included celebrities, such as former NBA star Dwight Howard and Australian-South Korean cheerleader Dahye Lee, the NDC said. The four-in-one Employment Gold Card combines a work permit, resident visa, Alien Resident Certificate (ARC) and re-entry permit. It was first introduced in February 2018 through the Act Governing Recruitment and Employment of Foreign Professionals (外國專業人才延攬及雇用法),
WARNING: From Jan. 1 last year to the end of last month, 89 Taiwanese have gone missing or been detained in China, the MAC said, urging people to carefully consider travel to China Lax enforcement had made virtually moot regulations banning civil servants from making unauthorized visits to China, the Control Yuan said yesterday. Several agencies allowed personnel to travel to China after they submitted explanations for the trip written using artificial intelligence or provided no reason at all, the Control Yuan said in a statement, following an investigation headed by Control Yuan member Lin Wen-cheng (林文程). The probe identified 318 civil servants who traveled to China without permission in the past 10 years, but the true number could be close to 1,000, the Control Yuan said. The public employees investigated were not engaged in national
The zero emissions ship Porrima P111 was launched yesterday in Kaohsiung, showcasing the nation’s advancement in green technology, city Mayor Chen Chi-mai (陳其邁) said. The nation last year acquired the Swiss-owned vessel, formerly known as Turanor PlanetSolar, in a bid to boost Taiwan’s technology sector, as well as ecotourism in Palau, Chen said at the ship’s launch ceremony at Singda Harbor. Palauan President Surangel Whipps Jr and Minister of Foreign Affairs Lin Chia-lung (林佳龍) also attended the event. The original vessel was the first solar-powered ship to circumnavigate the globe in a voyage from 2010 to 2012. Taiwan-based Porrima Inc (保利馬) installed upgrades with
ENHANCE DETERRENCE: Taiwan has to display ‘fierce resolve’ to defend itself for China to understand that the costs of war outweigh potential gains, Koo said Taiwan’s armed forces must reach a high level of combat readiness by 2027 to effectively deter a potential Chinese invasion, Minister of National Defense Wellington Koo (顧立雄) said in an interview with the Chinese-language Liberty Times (sister newspaper of the Taipei Times) published yesterday. His comments came three days after US Secretary of State Marco Rubio told the US Senate that deterring a Chinese attack on Taiwan requires making a conflict “cost more than what it’s worth.” Rubio made the remarks in response to a question about US policy on Taiwan’s defense from Republican Senator John Cornyn, who said that Chinese
RSS