Two unrelated stories have caught the imagination in recent days, both presenting a stark warning as to the risks in what you type into your Google search bar. Safe browsing is becoming ever more critical, as seen with Google’s new AI-powered security update coming to Chrome. But some of the dangers will surprise you.
First let’s deal with a serious cyber threat caught by the security team at Sophos, which warned last week that “the internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization.”
It turns out that the latest trick to lure users into installing malware relies on niche search engine terms to push malicious links on those awaiting the results. This so-called SEO-poisoning needs fairly specialist terms, otherwise it would not be able to command headline top-of-the-page results. “In this case,” Sophos says, “we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload:
Are Bengal Cats legal in Australia?” Is that niche enough for you?
“Our investigation,” the team reports, “revealed the threat actor was using SEO poisoning through an easily accessed online forum found via a simple Google search, initiated by the user for ‘Do you need a license to own a Bengal cat in Australia’… Immediately after the user clicks the link, a suspicious .zip file was downloaded to C:Users<Username>DownloadsAre_bengal_cats_legal_in_australia_33924.zip onto the victim’s machine, and the user’s browser was directed to the URL hxxps:[//]www[.]chanderbhushan[.]com/doc[.]php.”
Suffice to say, opening this compromised forum post would download a malicious ZIP-archive payload that would start the staged installation of dangerous malware. “Once used exclusively by the cybercriminals behind REVil ransomware and the Gootkit banking trojan,” GootLoader, Sophos warns, has now “evolved into an initial access as a service platform—with Gootkit providing information stealing capabilities as well as the capability to deploy post-exploitation tools and ransomware.”
Clearly if you have an interest Bengal cats and you live in Australia, then you’ll need to be extra careful. I’m not sure if they’re legal in the country, and I don’t plan to Google to find out. I’ll leave you to do your own non-Google research. For everyone else, bear this attack in mind. If your search is particularly niche then you may be more susceptible to malicious links in search than more generic hunts.
The fundamentals don’t change though—be wary of links and installs. Usually this applies most to socially engineered attacks via social media, email or messaging platforms. This just adds search results into that heady mix.
The second “be careful what you Google” story is very different. Just a few days before the Sophos report was published, a story appeared in several media outlets, warning that “a woman has revealed the four words you should avoid Googling to ensure the police do not pay an unexpected visit to your house.”
As reported, a couple in Long Island “were browsing for everyday household items” when they inadvertently entered just the right combination to trigger a terrorism profiling flag, prompting law enforcement to pay them a visit. “So, if you don’t want police to show up at your door, don’t search the four words – ‘pressure cooker bomb’ along with the word ‘backpack’.”
The story was a little stretched given that this wasn’t a direct flag from an all-seeing computer system in DC analyzing Google searches, it was in fact the IT department at the husband’s employer who flagged the search and reported it to the local police. This was back in 2013, with the Boston Marathon fresh in people’s minds. “Following the couple’s unintentional internet search, several black SUVs pulled up at the couple’s house to ensure they were not a terrorist threat.”
While the story has captured the imagination, it’s not the searches that will catch you out but the content returned by those searches. Accessing websites and links flagged as dangerous are more likely to see your browsing behaviour traced back to you than a search itself. That said, if you fall foul of law enforcement then a review of the search history on your devices or linked to your accounts is almost certain.
As per The Hill, “the search history of Thomas Matthew Crooks, identified as the 20-year-old gunman who attempted to assassinate former President Trump at a rally outside Pittsburgh last weekend, includes photos of Trump and President Biden, among other things. Crooks, who was killed after opening fire at the campaign event, had searched dates of Trump’s appearances and the upcoming Democratic National Convention, FBI officials told members of Congress.”
Unless you’re exceptionally careful with clean devices and no account logins, especially not a Google account login, and you use a VPN or even connect from a location unconnected to you, internet activity has a habit of coming back to bite. And that’s before the inevitable new threats from AI search engines start to appear.