One in 25 Search Results Risky

Ant writes "According to Ars Technica, security researcher Ben Edelman revisited his May 2006 report on the relative risk of search engine results. In the original report, Edelman found that 5 percent of the results provided by search engines were marked as either "red" or "yellow" by SiteAdvisor, indicating that they presented some risk to the user. Now, Edelman says that his new study has shown that only 4.4 percent of such sites are risky, representing a drop of 12 percent since May... ... The study found that not only can regular links found by search engines be dangerous, the sponsored links that appear in prominent positions in the results pages can also be harmful. In fact, in the May study, sponsored links were more than twice as likely to be linked to malware than non-sponsored links (8.5 vs. 3.1 percent)."

firefox..

[joeldg]

just more reasons to use firefox..

IE7 is going to make a lot of scammers and malware guys happy

Re:firefox..

[jimfulton]

While using Firefox may reduce the number of browser holes that can be exploited (or at least shift them around, particularly when you factor in extensions), it's still easy to get trashed.

Attackers are finding that it's easier to attack apps that are used with common file formats (Word doc, Excel spreadsheet, PDF, video, etc.) than to try to compromise the browser. Combine that with new morphing-code toolkits and pretty much anybody who wants to can create stuff that gets past any signature- or behavior-based defenses.

That's why virtualization is starting to be talked about in the mainstream (Gartner, press, etc.) as an alternative to the nonsensical choice of (a) "don't open anything, anywhere" and (b) "hope-as-a-strategy" (hope that you don't hit anything).

Re:firefox..

[Killall+-9+Bash]

Virtualization as a security measure is nonsense. You'll just have multiple instances of malware infected windows running on your box.

In related news...

[porkThreeWays]

1 in 25 search queries is for bukkake. It's no wonder =P

Seen that here too.

[goldspider]

Back when the Goatse and Tubgirl landmines were all the rage. And it was FAR more than 1/25!! I'm still using eyebleach!

Re:Seen that here too.

[Pinkfud]

Heh, I set my share of those landmines myself. Those were the days! It was also quite funny (for the evil-doer at least) to make a pair of popups that called each other. Pop-pop-pop-pop....

Actual study link

[Lord+Grey]

The actual study appears to be here.

Re:Actual study link

that would have been so much funnier if it were actually a link to goatse or tubgirl.. heh

Risky?

Like stumbling onto transvestites performing a Monroe Transfer?

Re:Risky?

What is a Monroe Transfer (and is it dangerous to google for)?

Re:Risky?

You can check it on urbandictionary.com... but you better not. It's really disgusting.

Typo

[tezeti]

"12 percent since May..."

I think this is supposed to say "1.2 percent"

Re:Typo

[RISTMO]

4.4% is 88% of 5%, hence a 12% drop.

Re:Typo

[techpawn]

79% of the statistics are just made up on the spot...

Re:Typo

[forrestt]

It wasn't a typo, the poster has no concept of the English language. He meant to say, "a 12 percent drop" not "a drop of 12 percent".

4.4/5 = .88 = 1.00 - .12

A drop of 12 percent would mean we now have -7 percent of something which isn't possible.

Re:Typo

[just_another_sean]

Exactly. 82% of the population knows that.

Re:Typo

What English language do you speak? Whatever it is, it doesn't correspond with the language I speak (I'm a native English speaker), nor the language of ANYONE I have ever met in my ENTIRE LIFE (conservatively 50% of the people I talk to regularly are native English speakers). Are you confusing "a drop of 12 percent" with "a drop of 12 percentage points" perhaps?

Re:Typo

This guy is a moron, clearly. There is no difference between "a drop of 12 percent" and "a 12 percent drop". The difference he's attempting to describe has nothing to do with the English language, and has only to do with the "x" in "a drop of 12 percent of x".

Surprise, surprise...

In fact, in the May study, sponsored links were more than twice as likely to be linked to malware than non-sponsored links (8.5 vs. 3.1 percent)."

Is anyone actually surprised by this? I could have told you that with no study whatsoever.

google is the culprit..

ok, why doesnt google just notify the user of these yellow, red, (ie. government type terrorism alert colors) on top of each search result returned from a query. Based on these studies they (google) should be able to use the same algorithms the researches used to achive the same conclusion about unsafe sites.

Or does google happen like all of these link farms, more advertisements and clicking = more profit for google? or id googles search algorithm to , shall i say, stupid? to distinguish the good guys (sites) from the bad...

Re:google is the culprit..

[just_another_sean]

I don't really want to argue one way or the other whether it is google's responsibility to do what you suggest but think of it from a logistics standpoint. Essentially your asking them to get into the AntiSpyware/AntiVirus game. They would need to setup a database of malware signatures, keep it up to date and then deal with the flack from users when they happen to miss something. Not to mention the whole "We're suing you for calling us spyware!" from the companies that deal in borderline, questionable software. I'm sure they would come out of the woodwork to sue someone with pockets like google's.

If anyone has the resources to do something like this on a massive scale it's Google; but I can understand why they don't. To me this is akin to the argument that ISPs should cut off users with obviously infected boxes. Hell, ISPs could block sites using the same method you want Google to employ. Sure it would be helpful to the public at large but dealing with the customer service issues and false positives would be a real headache! Try explaining to Aunt Tillie why she can't get to knitting.com anymore because there is a trojan on her box spamming thousands of people everyday.

Re:google is the culprit..

They would need to setup a database of malware signatures, keep it up to date and then deal with the flack from users when they happen to miss something. Not to mention the whole "We're suing you for calling us spyware!"

No they would'nt. All they would need is a small honeynet to detect this and flag legitimate sites installing spyware. Trust me, they have more than enough resources to do that no problem.

As far as the sueing thing goes. People on search engines have NO legal grounds to sue google, period. See this article for an example. Unless you are paying for sponsored results, which spyware sites do not pay for because it is not legal, you have no right to even be on google. Yes it sounds corny but it is a privlidge to get ranked. I am sorry but lawsuits are not holding google back from stepping up to the plate, see http://www.youtube.com for example, and the legal hell that they probably play there. Aunt Tillie would be greatful if she had more resources to guide her to safe sites..

Re:google is the culprit..

[Aladrin]

It'd become an arms race. Malware sites would simply rework their site until Google no longer listed them as malware, then do it again when Google figures out their new tactic.

Nobody would be helped (especially not the 99% of users that would click anyhow) and Google would spend a lot of money for nothing.

Re:google is the culprit..

[GeffDE]

Well, I mean, google does do something like it...

If you perform a risky search (My best shot was "vista serial crack") and then click on a shady link...google will send you to this page before allowing you to proceed onto your destination.

Re:google is the culprit..

[Eternauta3k]

I once searched for some serial and google warned me it was a dangerous site.

Re:google is the culprit..

[dynamo52]

ok, why doesnt google just notify the user of these yellow, red, (ie. government type terrorism alert colors) on top of each search result returned from a query. Based on these studies they (google) should be able to use the same algorithms the researches used to achive the same conclusion about unsafe sites.

You can get the siteadvisor extension for Firefox. It does exactly that and also notifies you if you browse there through other means.

Re:google is the culprit..

[Firehed]

Good PR isn't nothing.

Re:google is the culprit..

[Crazyscottie]

Either that, or they'd sue Google.

"It's not 'malware,' it's 'personalized marketing.'"

Re:google is the culprit..

[kalleguld]

But the problem is, if you know enough about computers to install firefox and the siteadvisor plugin then you don't need it (that much).
Joe sixpack on the other hand would never use anything but IE and google, so one of these two things must change. And google is by far the easiest one of them to keep updated.

I'm green on SiteAdvertiser press releases.

This article seems kind of a press release news story about slight advisor. After looking at them
and the ratings I am not sure they are real useful.

Spam ratings, download ratings, pop up ratings.... feh, not so useful. Spam I filter anyway,
downloads I am careful of and check on the adaware/spybot/etc, popups I block, what
are they doing?

At least the price is right.

Additional risks aren't mentioned...

[RISTMO]

Such as XSS attacks. If Google caches a page with XSS in the url (and it has done so in the past), the attack, which is simply JavaScript and not detectable by most antivirus software, can run in the background, retrieving information about the user or even opening up holes to later take over the user's computer.

On the internet...

[Bromskloss]

...anyone asking you to give them all your money is considered risky.

Re:On the internet...

[just_another_sean]

In New York that's called a mugging.

shutting down malware, virus, spam sites . . . . .

[DaMattster]

When a company is allowed to continue doing business after being caught several times with its hand in the malware cookie jar and gets nothing more than a slap on the wrist, there becomes no incentive to cease malware/spyware behavior. This is an enforcement issue and enforcement is not good enough. I'll bet if you label malware as a form of terrorism . . . . Well, on second thought don't do that, too many innocents would get caught up in the dragnet.

Risky to what?

Only risky if you are foolish enough to run a Microsoft operating system. Nobody else (presumably many at /.) has to worry.

Troll

[D3m0n0fTh3Fall]

How did you decide that only IE is vulnerable to the "risky" results that one might find by following these links ? Plenty of these sites will be camouflaged as "free screen savers" "free virus scanners" or "free music downloads". IE won't save people from being stupid and downloading software install packages from untrustworthy sources.

Re:Troll

Your right, but only if they are running a Microsoft operating system. Other OS's are nominally free of such risk.

Re:Troll

[vertinox]

How did you decide that only IE is vulnerable to the "risky" results that one might find by following these links?

Because IE 7 runs only on Windows.

Hence, it can be assumed that if you can run IE 7 then perhaps there are security problems involved.

If you run OS X or Linux, you can be assured that chances are those links are fairly safe as far as browser hacks and probability that someone decided to make a hack that affects both Firefox and Linux or Mac combination.

And yes I'm being a bit facetiously, but the grandparent isn't much as a troll but speaking a bit over zealously. Chances IE7 will have more problems than Firefox on any system because of its integration into the OS. Vista handles this a bit better than earlier operating systems, but it still has issues.

Re:Troll

[GIL_Dude]

That's not really true. It's just a matter of how many people are available running the OS and how much time it is worth to the malware artist. After all, it doesn't matter what OS you are running; there are always foolish people who are willing to click anything and hand out the root password when it is asked for. It's true that informed, security conscious folks won't give the password. It's also true that most people running Linux these days are informed and security conscious, however that has really been more of a legacy coming from the fact that you had to be pretty informed and a decent techie to even know that Linux existed and to know why you wanted it and spend time installing it. (Note I didn't say "it is hard to install" because we all know it isn't anymore even if many people still think that it is). Anyway, as OSX and Linux get more users and they tend to be less technical folks these types of problems can hit them too. Non-techies are really easy to social-engineer sometimes.

Re:Troll

The "It's not common enough" myth is a fallacy and has been debunked endlessly. The fact is OSX and the various *nix's are fundamentally more secure. Even if a stupid Apple user was to run the malicious software, there are basic protections in the OS that will prevent catastrophic damage. Not so with Windows of any version, though Vista may be a step in the right direction (finally).

Re:Troll

[TheSeer2]

Examples of the fallacy? I don't dispute they exist but without providing even one example you'll find that a lot of people will probably think you're lying.

Re:Troll

[joeldg]

yes.. overzealous..

every time I see a windows machine just crawling, it is loaded with spyware in IE
I have seen it way too many times.

in firefox you have extension makers who do things like rewriting amazon links, and a few others, but due to the nature of those they are fairly easy to disable.

not to mention, you can build a site with firefox on linux (which I use) or OSX (what the rest of the office uses) and it is great, then you test it on IE and find out that IE has some idiocy coded in to not be standards compliant and then you have code around it (the four or five year old z-index combo box bug is STILL around...)

anyway..

Re:Troll

The prior poster didn't provide proof that *nix and OSX are less vulnerable because they are less popular, so do that first.

Then, google for "less popular virus myth" and you'll see all the examples you'll need.

Re:Troll

[Beryllium+Sphere(tm)]

>Chances IE7 will have more problems than Firefox on any system because of its integration into the OS.

It has terrible ancestry, but if the sandboxing works there should be fewer problems.

All browsers should be sandboxed: a huge complex program that takes massive amounts of untrusted input from multiple unknown sources, some of it guaranteed to be malicious?

SiteAdvisor = form spammer

SiteAdvisor is annoying. They have their bot visit your website and fill in forms with junk to see whether or not you will spam the email address they supply. They keep hitting the price request form on my company's website, so a salesperson ends up calling the phone number they supply (always goes to voicemail) to try to help someone that isnt' real. Why does McAfee think it's OK to spam me to see whether or not I'll spam them back?

Re:SiteAdvisor = form spammer

Can't you whitelist and blacklist bots? The main search engine bots are known, just whitelist those and reject all the others, send them to a tarpit.

Re:SiteAdvisor = form spammer

You could if they identified themselves as bots, but they try to make it look like they are human -- if they didn't, people who were collecting email addresses for spamming could just handle the email addresses from the bots differently from those of regular site users. They use user-agent strings that claim to be IE6, instead of a bot. They come from all sorts of different IP addresses tracing to different countries. They change the email addresses, phone numbers, and names that they fill into the form from time to time. After you've seen it several times, you will notice some commonalities so that you can code your form to reject them (I won't give details here, or they might make changes to avoid detection).

And, if you are wondering, yes I am certain that it was really SiteAdvisor -- their report for my website shows enough info for me to trace it back to their bogus price-inquiry form submission.

Hmmm...

[jense]

Adds a whole new dimension to Google's "I'm Feeling Lucky" button.

1 in 25...

[Thad+Boyd]

...is not 5%.

Re:1 in 25...

[CByrd17]

True, but that was the number from the original study. 1/25 is 4% which is in line with the 4.4% referenced.

Trust

[Joebert]

In fact, in the May study, sponsored links were more than twice as likely to be linked to malware than non-sponsored links

Well, if this search engine places this site in this special spot, it must mean that this site is trustworthy.

They payed to be in that spot ?

Well, if they're able to pay for that spot, they must be trustworthy.

What do you mean where did they get the money to pay for that spot ?
How should I know ?

Re:shutting down malware, virus, spam sites . . .

[Vreejack]

Slap on the wrist? There should be so much justice.

My solution is to use a custom hosts file. http://www.mvps.org/winhelp2002/hosts.htm publishes a nice one. Whenever I click on a lick in a web search list and I immediately get a "link not found" then I can pretty sure I didn't really want to go there in the first place. A lot of advertisements show up as "404's" as well.

SiteAdvisor and Google

[PeterAitch]

This may be stating the obvious (and for once I'm not being ironic) but if you happen to run SiteAdvisor (as I do) and do a Google search, the relevant ratings come up as an integral part of the search results.

So, perhaps the question others have asked should be re-stated as "Why don't Google offer a site advisory service as part of their engine?" Perhaps because third-parties do so already? Google is, after all, primarily a search engine, albeit a distorted one due to proliferating sponsored links. OK, it can be argued that an advisory service would only be an extension of the filtering they already offer as an option for their searches, but surely users must ultimately bear SOME responsibility for what they do online. The less tech-savvy home users (plus the rest of us!) would be well-advised to invest in some dedicated security software which will do the job regardless. The workplace should already be covered - some of you reading this will doubtless be involved in that aspect.

Micro$oft have finally jumped in here (then again, they are now charging $STUPID for an insanely showy OS, aka bloatware, plus bells and whistles) but it doesn't mean that Google et al. are obliged to follow suit. Firefox? - all kudos to them, but ultimately it's something which should help get their browser out there.

Just one long-time user's view.

elementary science education for all?

[l2718]

Sorry, but I am detecting crap. The process of measuring something in real life has inheret errors built into it. I doubt Dr. Edelman can measure the fraction of dangerous search results so accurately so that decimal digits have any meaning. Given that his methodology is to perform particular searches, for example, it's not obvious that his search pattern exactly represents that of a typical user, that his definition of a dangerous site is accurate, or how big are the fluctuations in search result placement in the search engines. Actually, I doubt you can even define the parameter he's measuring accurately enough for the difference between 4.4% and 5% to make sense. Very telling is that at not point does the study bother to address the error bars of the methodology. This indicates that no-one has any idea what the results actually mean, and that we should treat them with grave suspicion.

Specifically, the implicit claim in the article that the difference between 4.4% and 5% is statistically significant is bougs. The real byline is "fraction of dangerous websites remains unchanged". The two numbers are clearly equal within any reasonable error of measurement. Note that Dr. Edelman's study does not actually make this comparison.

Re:elementary science education for all?

[l2718]

For another example why error bars matter, think back to the Florida Elections Debacle of 2000. Essentially, the errors inherent in the elections process were much greater than the effect that the balloting was supposed to measure, rendering the entire results meaningless. Of course, someone had to be declared a winner so as a matter of legal fiction, Mr. Bush was (rightfully, I suspect) declared to have carried the state. However, it is meaningless to talk about who really won the election -- the difference between the number of votes garnered by the two main candidates was much finer than our ability to measure who got more votes. The main sources of error are:

Disagreement about how to read ballots in principle [with chads? without chads?]

Errors in the human interpretation of actual ballots according to whatever definition we settle on. If the real goal is to measure the voter intent as it putatively existed in the minds of the voters, we also have to consider:

Errors by the human casting the ballot.

Riskiness of my searches

[CmdrPorno]

If I type in "hirusite hermaphrodite midget donkey porn" and click "I'm feeling lucky," I wonder what the risk of the linked results will be...

Re:Riskiness of my searches

[flyingfsck]

Wow, dude - I pasted that into Google and got one hit! Amazing...

Re:Riskiness of my searches

[Reziac]

So, it appears the odds are... 100% :)

Uh oh

[Sir_Lewk]

I would RTFA, but it might be risky...

"Risk" is bogus (was: Re:shutting down malware...

[quentin_quayle]

You shouldn't have to avoid sites entirely because of the kind of so-called "risk" that Edelman refers to.

Just ask, what does this "risk" consist of, exactly? If you read Edelman's articles carefully, or watch his videos, you'll find that the supposed hazards always involve (a) clicking "OK" when a page offers to download or run some software (b) using a browser with ActiveX, VBScript, Java or other random-code-execution turned on or (c) some combination - plus using a root account.

If your software is patched up to date and configured properly, and you know what you're doing and follow safe practices, there's no reason to ever fear any web page. The only vulnerability in that case is a remotely-exploitable, unpatched browser flaw that you don't know about or can't work around (0-day) and those are very rare on Mozilla browsers.

Risky to who?

[flyingfsck]

I can browse the net all day long with Linux and not encounter any risky stuff, except for a few Goatse type images...

The risk is not bogus

[bedelman]

I emphatically disagree. I've written plenty about security exploits, where users need not click "yes" (or anything else), nor need ActiveX, VBS, or any other such thing. Details.

In any event, the piece at issue in the original post considers many kinds of risks -- not just exploits, but also run-of-the-mill scams, like "free" ringtones that aren't. You may not regard such sites as "risky" or harmful, but there are plenty of others who do, because they don't like the prospect of being ripped off.

Re:The risk is not bogus

[quentin_quayle]

I haven't examined everything on that page, but most of it reinforces my point. Most of the exploits fall in one of the categories:

* User installs some software and it turns out to be trojaned, or different than it purported to be in some way that's undesirable to the user.

* Exploits that rely on user having ActiveX enabled (with or without confirmation, warnings etc.)

* Exploits that rely on unpatched defects in other (non-browser) applications such as Windows Media Player initiating network connections.

* Zero-day vulnerabilities such as WMF before it was patched, which I specifically excluded from my statement, and which are rare as I stated.

There have hardly ever been any "true drive-by infections" meaning that the user gets them without actively downloading and running executables and without ActiveX/IE. Maybe there are some on the linked page but they are so outnumbered by the user-initiated examples, I could not find one before writing this.

I agree that there are risks for the typical user which are not risks for the knowledgable user, such as misrepresentation of software and other products. Your work is valuable in protecting typical users who leave the default settings. My point was only that they are not true drive-by risks such that a techie user has to avoid certain sites - instead they are almost all avoidable by good configuration, smart practices and patching up to date.

Um

[WCD_Thor]

Why is this news worthy? Seriously, if you haven't realized that the sponsored links are full of shit by now, just go shoot your self, it would be doing yourself and the world a favor.

hmmm....little math problem there

[ILuvRamen]

Edelman found that 5 percent of the results provided by search engines were marked as either "red" or "yellow"...his new study has shown that only 4.4 percent of such sites are risky, representing a drop of 12 percent

well now you just know that the statistics are accurate with math like that. Seriously, that makes less than no sense. Sounds like they just made up some stuff to advertise SiteAdvisor.

Re:hmmm....little math problem there

5.0% - 4.4% = 0.6%

0.6%/5.0% = 0.12 = 12%

Wikipedia: bad shopping experience

[matt+me]

Now which of siteadvisor and Wikipedia would you say is more accurate?

You get what you asked for

[mapkinase]

Arstechnica article says:

Edelman used the tool to run 2,500 popular keywords through several search engines

(1) That means that many of the sites you find by typing "sex", "porn" or "Brittney Spears" are dangerous. "Thank you!"

(2) I would appreaciate a study that will show me how dangerous are the searches that are useful to me, that is searches not for the popular keywords, but, in opposite, on words and phrases that represent some notions, phenomena, concepts that I do not know.

(3) How the presented statistics differ by the category? For example, I would like to see separate results for searches categorized under "Entertainment" and "Science".