Skip to content

Has a Hacker Figured Out How to Hide Malicious Sites Inside Search Results?

At Shmoocon last year, a hacker told me that anytime someone creates a process to make a task more convenient, that process is the first place to look for vulnerabilities. We were talking about WiFi security at the time.

No laptop or smartphone user wants to enter a network key and a 13-character password for every network they want to connect with when traveling between work, home, and school, he said -- so technology to automatically connect devices to networks was created.

Now laptops constantly send out signals looking for familiar networks. All a hacker needed to do was build a device that would say, “Here I am. I’m that familiar network.” So he built one.

Websense threat researchers think a Chinese hacker may have found a way to exploit Google’s super convenientoptical character recognition (ORC) to make malicious urls more visible in Google search results.

Google Docs uses OCR to convert image files into editable text documents, optimizing them for search engine optimization. It’s often used to convert documents captured with hand scanners and smartphone apps.

Last year, a hacker in China known for targeting corporations registered the domain Thefake site is loaded with a Java exploit giving a remote user admin control of an infected network. The legit domain,, is actually a business that provides government satellite services.

Websense researchers easily found the exploit on the Web site, but they also found that the fake domain name was appearing in Google search results on FCC documents. Websense suspects that Google’s OCR function is confusing the 1 for and “l” so search results display the fake domain.

The problem is that “if a user searches Google and cuts/pastes an ‘official’ URL, they could be inadvertently led to the malware delivery site,”Websense said on its blog Tuesday.

“This may seem like an askew way to go about a waterhole attack, but It also shows a new way the bad guys are taking advantage of OCR to poison search results without detection,” said Websense spokesman Matthew Mors. “Google is actually verygood at getting malicious sites down … but this looks like a way [hackers] can poison search results and get around that.”

Websense says it can’t confirm that there is a problem in Google OCR, but if there is a flaw, “it is being exploited via a typo squatting technique to deliver an exploit. “

Hackers usetyposquatting in spearphishing attacks, but using it to trick search engines is relatively new.

Google’s security team didn’t immediately respond to questions about the possible vulnerability, but an employee familiar with Google's OCR function said it did look like an OCR error caused a "1" to be produced instead of an "l," however, there was no evidence it was done to intentionally exploit search results or OCR.

"It's far likelier that the person who registered the domain simply did so for common phishing purposes," he said.

screenshot byWebsense