Google, faux blogs, and security

Here’s an interesting little phenomenon. As with many Web phenomena, it may or may not be gone tomorrow or next month or whenever Google figures out how somebody’s gaming their system.

If you do a regular Google search on “fruiting bodies”, you return a standard set of legitimate sites.

Ditto if you do a Google blog search on “fruiting bodies”.

But if you do a Google blog search on “blogs about fruiting bodies”, you get this kind of stuff:
fruiting-bodies.jpg

Note the URLs (but I don’t recommend that you visit them). These are bogus blogs that automatically generate random content or hoover it off of other blogs/sites, and I would speculate that they exist either to collect pennies from Google ads or, more darkly, to deliver bad code (i.e. malware) to any unsuspecting soul who stumbles across them via search. (See note at end of this post.)

Note that they’re all Blogspot addresses. WordPress, from my own experience, puts pretty significant limitations on the type of HTML or other coding you can embed (when they’re hosting the blog). Which is why, for example, I can’t embed the Chess Publisher player in my posts to allow you to click through chess games move by move. Since I don’t use Blogspot, I can’t attest to their security controls or lack thereof. Maybe it’s just easier to automate the creation of these things on that platform.

Anyway, it’s interesting that regular searches on “fruiting bodies” weed this junk out, but the wording “blogs about …” on the blog search brings the chaff to the top.

Incidentally, if you’re unaware that your system can be infected simply by visiting a Website, do a little light reading on cross-site scripting. Or geek out with this post from Internet security guru Richard Bejtlich:

Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive strategies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.

Advertisements

One thought on “Google, faux blogs, and security

Comments are closed.