Attackers frequently manipulate search engines to deliver links pointing to fraudulent websites. To do so, they typically use a form of search engine poisoning known as spamdexing. In recent months, the incidents of spamdexing have increased, likely as a direct result of the mass compromises throughout 2008 and into 2009. Here's a brief primer on how all this works.

Search engine results pages, or SERPs, are an amalgamation of links related to the user's original query. Search on 'shoes' for example, and one can expect to get a list of sites devoted to footwear.

Search engine optimization is the art of getting the SERPs to list your keyword-related page. A SERPs generally lists 10 results per page, so the goal of most webmasters is to get their page listed on the first page of results, with the higher on that page the better.

In the early days, search engine spiders (the automated tools that digest the information on web pages for ranking and other purposes) would often rank a page based on the number of times the specified keyword appeared. Of course, quantity of keyword has no bearing on quality or pertinence of topic and this method was quickly exploited such that keyword ranking alone is all but useless.

Today's search engines generally employ some form of reputation-based modeling to determine rankings. As a result, a site to which many others link will be given more prominent placement on SERPs. And if that very popular site should provide a link to another site, that new site will be treated more favorably in SERPs as a result of the 'recommendation' from the popular site.

Viewed from this context, we can see that SERPs selections operate in much the same way a real world introduction might. If someone you know and trust introduces you to a good friend of theirs, you are more likely to assume a certain level of trust with the person to whom you were just introduced.

Spamdexing
This is where all the trust starts breaking down. If a trusted site is compromised, quite often pages on that site will be created or manipulated to include links designed to boost the ranking of a malicious or otherwise undesirable page. Because those pages are under the control of the attackers, the links and the keyword phrase can be changed on a whim.

(It's worth noting that spamdexing can also be run via blogs, re-purchased domains, and comment spam although these methods are generally easier for search engine spiders to detect and thwart.)

Using Google Trends and other keyword popularity reports, attackers are able to quickly gauge interest levels, then leverage the current interest levels in a given topic to quickly push links pointing to malware whenever searches on that topic are performed. These links are digested by the spiders and given higher importance in SERPs based on their affiliation with the reputable site.

More recent examples have included topics such as Obama, basketball (aka March Madness), taxes, and St. Patrick's Day.

The ScanSafe malware service blocks these miscreant links in search engine results pages. You can also use the free Scandoo service, which will pre-scan SERPs from your favorite search engine and alert you in advance if any of the links are malicious.