We’ve previously blogged about Olympic ticket scams, phishing, malware designed to propagate through social networking, and other Olympic security concerns. 

We also know that hackers take advantage of people searching for breaking news and trending topics about the Olympics through various SEO poisoning techniques. When Georgian luger Nodar Kumaritashvilii died in a tragic training accident just before the Vancouver Olympics in 2010, multiple malware pages quickly appeared in the top search results. Clicking these links led to pages that included pop-up warnings telling the user to click a button to view a video or to clean up computer problems. Of course, clicking led to malware attacks.

SEO poisoning remains a problem, but Google seems to have a better handle on it where searches related to the London Olympics are concerned, at least in English. When we started using Russian search terms, however, things deteriorated quickly. Using the Russian translation for "watch 2012 Olympics online", we did a Google search and clicked on the second item:

While the domain itself is correctly categorized as sports, it's clear some objectionable content is popping up in the ads:

In addition, clicking on the page redirects to various questionable places, including information on how to control men:

In another investigation, Websense® researchers analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th. Not surprisingly, traffic peaked on the day the Games opened, and three days later when Olympians Tom Daley, Michael Phelps, Ruta Meilutyte, and Maria Sharapova topped the Google trends.

Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Link:

We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:

Websense customers are protected from these threats by our Advanced Classification Engine™ (ACE). 

Shady ticket deals for the 2012 London Olympics? Hardly surprising. But when the source is Google's famous AdWords advertising service—one of the internet giant's main sources of income—then a double take might be in order.

A BBC investigation found that a Google search for "olympic tickets" resulted in top-of-the-page placement of sponsored sites for vendors selling tickets without permission from Olympic authorities, which is a criminal offense in the U.K. under the London Olympic Games and Paralympic Games Act 2006.

Our research confirmed that the Google search shown below displays an AdWords link

that is not authorized to sell Olympic tickets according to the ticketing website checker on the official London Olympics website.

The prominent display of sponsored ads tends to confer on them a sense of legitimacy. Users may assume that Google has approved the businesses, or at least stands behind them in some way. But in response to a complaint from a would-be Olympic ticket purchaser, Google said, "While Google AdWords provides a platform for companies to advertise their services, we are not responsible for, nor are we able to monitor the actions of each company."

The inner workings of AdWords are complex and opaque. These qualities are essential, because if Google revealed its algorithms, for example, people could easily cheat their way to the top. While the automated system does take into account something called "Quality Score" and consumer ratings, it's clearly not foolproof. A filtering system flags certain keywords for manual review and removal if the ad is found to violate Google's policies, and users can also fill out an online complaint form. Due to the volume of ads, however, a questionable ad may be up for some time before it is reviewed.

Websense® researchers investigated some of  the Olympic ticket scam sites. We found that most of them had multiple backlinks, suggesting they have been widely spammed over the internet in addition to being promoted via Google AdWords. A "backlink" is a hyperlink that links to a specific web page. Both legitimate web pages and spam URLs often try to set up as many backlinks as possible to drive traffic to their sites, and the number of backlinks a site has may affect its ranking in search engine results. Like the hyperlnks in this post, links can be used to provide additional context, information, or examples.

An examination of these backlinks confirmed that "birds of a [bad] feather flock together." One URL yielded 500 backlinking URLs in categories such as Adult Material, Gambling, Proxy Avoidance, Potentially Unwanted Software, Suspicious Embedded Links, and Malicious Embedded Links.

A set of 375 backlinks for another URL found that 104 (27.73%) included various kinds of objectionable content, including security risks (the remaining URLs either had no backlinks or had backlinks for legitimate sites such as News and Media, Business and Economy, and so on).  The breakdown for objectionable/security risk backlinks was as follows:

A closer look at just one of the backlinks tells us a lot about the dangers of allowing comments that are not moderated to be added to any site. In this case, a perfectly legitimate website for a church posted a video of a Sunday School Christmas play and invited viewers to comment:

Viewers and spammers did exactly that, adding links not only to the Olympic ticket scam we started with, but also to a variety of other completely unrelated businesses which may or may not be legitimate, including German gambling and phone sex sites and an Italian "escort" agency:

Defensio from Websense is one way to prevent spammers from posting such links on blogs and other social media, including Facebook pages. With this service, it's easy to block and manage comments, protecting you and your followers from comment spam, malware, and other threats embedded in user-generated content.

With Google searches as with everything else, do your own "due diligence" before making a transaction, even if the business is at the top of the page. In the case of London Olympics tickets, the official website includes the handy ticketing website checker that we used to determine if a URL is recognized as an authorized vendor. There's also a page about staying safe online, which includes a long list of known scams that will only get longer as the July 27 opening day approaches.

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

Two major data leaks occurred in Russia over the past several days.  Short Message Service (SMS) text messages and personal Information about people who ordered goods from Russian and Ukranian online shops (including sex shops) have been available for public viewing.  Last week approximately 8000 private SMS messages sent from the Russian mobile network online service MegaFon were indexed by search engines.  

The reasons for this breach? Human error. The robots.txt file was removed by mistake, and a search engine browser plug-in called Yandex.Bar, equivalent to the Google toolbar, sent individual page URLs to the search engine for indexing.

This is an example of poor site design combined with bad luck. Sites should not display pages that contain SMS details to a client other than the sender (by using cookies, for example).  In this case, site designers assumed that a unique URL was enough for security.  They were wrong. The search engine's browser plug-in transferred each unique URL directly to the search engine, and because they had removed robots.txt, the only blocking entity, the result was a flood of personal data.

Today we see another leak of personal information about online shoppers listed in Yandex, Google, and other major search engine's results.

In today's case, robots.txt was again a problem, this time because the file was present but incorrectly configured. The file did not include instructions not to index pages with personal data. Publicly leaked information consists of buyers' names, product prices, IP-addresses, and buyers' home/delivery addresses. 

According to Digit.ru, a company called webAsyst developed the software for creating the online shops. Company representatives explained that after a buyer purchases a product from an online shop, the shop sends a link with purchase status to the buyer via email to a web site that is not password protected. So those pages where indexed by search engines.

As a result of this leak, the Russian search engine Yandex has asked web site administrators to review information about robots.txt files and how to use them, so this type of incident does not happen in the future. Leaked information was still visible at the time of writing this blog.

Websense recommends protecting private customer data by encrypting it or password protecting any web site that contains personal data so search engine robots cannot index the information.

Thanks to Petr Savich for help in writing this blog.

Earlier today, Google announced a number of new technologies as part of their Google Inside Search Launch (http://www.google.com/insidesearch/). One of the more interesting is their idea to speed up the Web with something called "Instant Pages." The basic idea is that they are taking their ability to correctly guess what a user is going to search on, and pre-loading the content from the origin server onto your local machine. Apparently, this only works with the Chrome browser.

This leads to some interesting exploit scenarios. In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link.

In slightly related news, Google also announced voice recognition to search. It will be interesting to see how/if the rogue AV camps will also be utilizing this to their advantage in the future.