Nine out of ten new web sites visited are found through Internet searches. In fact, web search has become an essential part of doing business online with more than 80 per cent of Internet users keying in a company name in a search engine even if they know the company’s web address. There’s no denying it “Googling” - or using any search engine for that matter - is as frequent an occurrence in offices as getting a cup of tea. But as use of search increases , so does the incidence of web-based malware. Hackers are exploiting vulnerabilities in web browsers as they catch up with the latest online behavioural and communication trends.

Analysis from the ScanSafe Security Threat Alert Team, which monitors web-based malware, shows that one-in-five Internet search results contain malware or offensive and illegal, content. Offensive content represents the greatest risk, accounting for 80 per cent of total search blocks.

Search engines have increasingly become a gateway for exposing businesses to security risks, such as Trojans, spyware, and keyloggers. Unsuspecting web users can be exposed to such malware from a wide range of web sites—including legitimate sites that have been compromised to unwittingly host malware. This malware can easily install itself on the corporate network and severely disrupt business operations.


Although it is an essential tool in the workplace, if secure web searching is ignored, it can become the Achilles' heel in corporate web filtering policies and expose companies to security breaches, information leakage and legal issues. One example of malware exploiting search engines is through the use of ‘spamdexing’. Compromised sites are appended with hidden text containing keywords and links to other (typically compromised) sites which host exploit code. This increases the ranking of the exploit site in search engines, thus when users search on those particular keywords, the exploit site is returned prominently in the results. Those who click through to the site will typically become victims of so-called ‘drive-by-downloads’ of malware. The Zhelatin family of malware, commonly referred to as the ‘Storm worm’, has been discovered using this technique to foist new variants of the malware onto victims’ computers.

In another Storm-related incident, Zhelatin-infected bloggers inadvertently posted Zhelatin spam with malicious links to their blogs. This occurred because these bloggers had configured their blogs to automatically post content sent to a particular address. When the Zhelatin mass-spamming component activated, it sent the spam to the blog address as well. Other malware, such as the Trojan MeSpam, append malicious links to Web 2.0 related activities, such as blog comments, forum posts, and webmail. Of course, search engines crawling these sites will include the miscreant posts in their search results, thus further exposing users.