Indeed, according to Dennis Fisher, security evangelist at Kaspersky Lab, "as much as 1.5% of all search result pages on Google include links to at least one malware-distribution site." That finding comes from a presentation into Google's anti-malware operations, made by the company's Fabrice Jaubert at the recent SecTor conference in Toronto.
Attackers' latest Google-fooling technique has been to eliminate dedicated pages for serving malware. Instead, they poison -- aka inject malicious code directly into -- popular websites, typically in an iFrame, then use the websites to serve malware, said Fisher. As a result, said Google, it's getting more difficult to separate attack websites from popular websites that have been compromised using known vulnerabilities.
The problem, according to Google's Jaubert, is that attackers keep getting better. "It's a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them." Furthermore, he said, differentiating websites that were created to serve malware from ones "which have just been temporarily compromised" is getting much more difficult.
What Google didn't mention is the "what next?" step. Might Google reduce the search engine relevance of legitimate websites that it finds constantly serving malware, or even drop them from results? Because, to be honest, compromised websites typically result from companies failing to patch their servers and Web applications, allowing attackers to exploit known vulnerabilities.
According to The Sydney Morning Herald, Prescott Winter, former CTO of the NSA, recently fielded a similar idea for countries that harbor cybercriminals: shut them out of the Internet.
Delisting or lowering the rankings of malware-spewing websites would certainly be a wake-up call to businesses. Imagine receiving a letter from Google that says, "Secure your website, or we'll make you disappear." So, if today's widespread attacks aren't threatening enough to get businesses to secure their websites, is it time to try the threat of obscurity?