May 27th, 2009

The Web's most dangerous keywords to search for

Posted by Dancho Danchev @ 4:50 pm

Categories: Browsers, Hackers, Malware, McAfee, Research

Tags: Search Engine Optimization, Web, Cybercriminal, Keyword, Search, Marketing Research, Marketing, Dancho Danchev

Which is the most dangerous keyword to search for using public search engines these days? It’s “screensavers” with a maximum risk of 59.1 percent, according to McAfee’s recently released report “The Web’s Most Dangerous Search Terms“.

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes ‘free” has the highest risk percentage of exposing users to malware and fraudulent web sites. The research further states that the category with the safest risk profile are health-related search terms.

Here are more findings:

• The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky
• The categories with the worst average risk profile were also lyrics sites (5.1%) and “free” sites (7.3%)
• The categories with the safest risk profile were health-related search terms and searches concerning the recent economic crisis. The maximum risk on a single page of queries on the economy was 3.5% and only 0.5% risky across all results. Similarly, even the worst page for health queries had just 4.0% risky sites and just 0.4% risk overall

This isn’t the first time McAfee is attempting to assess the risk percentage of particular search terms, as the company did similar studies in 2006 and 2007. And whereas the research attempts to raise awareness on malicious practices applied by cybercriminals, it also has the potential to leave a lot of people with a false feeling of security since it’s basically scratching the surface of a very dynamic problem.

With cybecriminals anticipating the dynamic nature of Web 2.0, they too, adapt dynamically to the changing environment. In the context of blackhat SEO, like true marketers they apply basic mass marketing keyword practices, which may get wrongly interpreted as the use of particular keywords only.

In reality, mass marketing from blackhat SEO perspective means a very diverse set of topics usually consisting of hundreds of thousands of syndicated news/video/blog titles aggregated over a recent period of time, all operated by the same group. Therefore, the search term “screensavers” or any related phrases is among the hundreds of thousands of others part of a single malware campaign.

In October, 2008, cybercriminals taking advantage of blackhat SEO for malicious purposes, started syndicating popular Google Trends keywords in real-time in order to occupy the top ten search results with hundreds of automatically registered Windows Live Spaces serving Zlob variants as fake codecs back then. This dynamic approach not only undermines any static lists of “most dangerous keywords to search for”, but also, tipped more cybercriminals on the basics of event-based blackhat SEO campaigns serving malware.

For instance, in an attempt to hijack the anticipated traffic of people searching for the Twitter XSS worm StalkDaily/Mikeyy, blackhat SEO campaigns using related keywords started appearing in public search engines serving scareware. At least that’s what appeared at the first place, since a much more in-depth research revealed that the Mikeyy keywords are part of a diverse blackhat SEO farm. The same Ukrainian group took advantage of the swine flu buzz and launched another blackhat SEO campaign earlier this month, again consisting of swine flu related keywords in between the diverse set of topics that they’ve generated on the hundreds of domains participating.

Furthermore, taking into consideration the fact that nowadays legitimate and compromised web sites serve more exploits and malware than the purely malicious ones (77% of Websites that carry malicious code are legitimate sites; Thousands of legitimate sites SQL injected to serve IE exploit; Over 1.5 million pages affected by the recent SQL injection attacks; Gumblar - approximately 17,000 compromised sites), a compromised web site’s index would undermine any such static lists of dangerous keywords to search for based on the diverse content that it’s providing.

So, which is the most dangerous keyword to search for on the Web? That’s a variable which cybercriminals play with at any moment.