Search engine results increasingly poisoned with malicious links

Malware threats in search results are getting worse despite the best efforts of Google and other vendors.

The number of infected results has been increasing year by year since 2013 despite the application of multiple tools and technologies designed to exclude dodgy links, according to a study by independent anti-virus testing outfit AV-TEST.org.

The analyzed websites originate in various proportions from the search engines of Google, Bing, Yandex and Faroo. Additionally, over the past two years, more than 515 million Twitter updates were examined for malicious links. Last year AV-TEST.org examined 80 million websites, spotting 18,280 infected web pages. In the year up to August the testing lab inspected a similar 81 million websites turning up a much higher 29,632 infected web pages. Both results were recorded without enabling Google Safe Browsing.

Both figures are a big increase on 2013 when AV-TEST encountered 5,060 malware threats after examining 40 million web pages. All of the pages with malware threats found by AV-TEST were visited using the Google Safe Browsing tools. The results were less than impressive.

In 2015 the 18,280 pages with malware threats threw up Google warnings in just 555 of cases. In the year to August of 29,632 malware-tainted pages threw up 1,337 Google warnings. Links in tweets are infected at almost exactly the same rate of frequency as links filtered by Google. Graphs illustrating AV-TEST.org’s results can be found here.

Maik Morgenstern, chief technology officer at AV-TEST.org, explained that the dynamic content of the web means it sees different content from Google/Bing when accessing and scanning the site. This factor, together with the appearance of malicious ads, on previously clean websites goes some way in explaining the discrepancy.

"It could be the ads on the website that have been flagged as suspicious by us and that change every time you access the site," Morgenstern explained. "Or the website is delivering different content randomly or it does so by checking the user agent or location of the user.

"Also I do not know what the interval is that Google and Bing are scanning the sites for malware. There will always be a certain timeframe where malicious content could be on the site without Google/Bing knowing it, even if they were able to detect it. It is also possible that we flagged content as suspicious that is not considered suspicious by Google/Bing."