Search engine results and security

Search engines permeate every aspect of our lives. We do not think twice about using Google, Bing or Yahoo to look for stuff that we need information on. But can we trust the results that come up in searches?

It is a well known fact that the higher a link is in the search results, the more the chances of people clicking on that link. People usually click on links in the first 1-3 pages. It is less likely that links beyond the first few pages will be clicked on. Search engines like Google, Bing and Yahoo spend enormous amounts of effort to bring us results that are the most relevant.

So, what if someone were to rig the search engines to get a malicious site at the top of the pile of links? This is exactly what one security researcher did. He got a domain name that was similar to a credit union’s in California. Using his knowledge of how search engines rank results, he proceeded to promote his face credit union site. The site ended up number 2 on Yahoo and number 1 on Bing. It was listed on the 6th page on Google, too far behind to be of significance.

What was significant was that over 1000 people clicked on his link and were transparently redirected to the real credit union site by his site. Now, if he wanted to be malicious, he could have set up a login page that looked similar to the real credit union.

Chances are that quite a few of the 10,000 people would have tried to login using their credentials. An additional problem is that a lot of people use the same passwords on multiple sites. By selecting the most popular sites and trying the credentials out, multiple sites belonging to each person involved may be compromised.

This experiment underscores the fact that not all links that appear high on search engine results may be legitimate. A lot of people implicitly trust these results and click on links without a second thought, putting themselves at risk of compromise. Criminals know how people in general behave and exploit that knowledge. It is the internet users’ responsibility to be aware of what links they are clicking on and which websites they are visiting. While search engines try their best to weed out scams, it is just impossible to eliminate all of them.