Google, faux blogs, and security

Here’s an interesting little phenomenon. As with many Web phenomena, it may or may not be gone tomorrow or next month or whenever Google figures out how somebody’s gaming their system.

If you do a regular Google search on “fruiting bodies”, you return a standard set of legitimate sites.

Ditto if you do a Google blog search on “fruiting bodies”.

But if you do a Google blog search on “blogs about fruiting bodies”, you get this kind of stuff:
fruiting-bodies.jpg

Note the URLs (but I don’t recommend that you visit them). These are bogus blogs that automatically generate random content or hoover it off of other blogs/sites, and I would speculate that they exist either to collect pennies from Google ads or, more darkly, to deliver bad code (i.e. malware) to any unsuspecting soul who stumbles across them via search. (See note at end of this post.)

Note that they’re all Blogspot addresses. WordPress, from my own experience, puts pretty significant limitations on the type of HTML or other coding you can embed (when they’re hosting the blog). Which is why, for example, I can’t embed the Chess Publisher player in my posts to allow you to click through chess games move by move. Since I don’t use Blogspot, I can’t attest to their security controls or lack thereof. Maybe it’s just easier to automate the creation of these things on that platform.

Anyway, it’s interesting that regular searches on “fruiting bodies” weed this junk out, but the wording “blogs about …” on the blog search brings the chaff to the top.

Incidentally, if you’re unaware that your system can be infected simply by visiting a Website, do a little light reading on cross-site scripting. Or geek out with this post from Internet security guru Richard Bejtlich:

Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive strategies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.

Advertisements

One thought on “Google, faux blogs, and security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s