Image Search Referrer-Based Malicious WebsitesApril 17, 2008 – 4:39 PM
Websense Security Labs research has uncovered a case where a museum’s compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com.
As interesting as the fact that they’re doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served only when the referrers for the request are certain high-profile image search sites.
In the course of researching this attack, Websense Security Labs discovered that when searching with one of these high-profile sites for images that reside on another site, attempting to view one of the images would provide malicious content rather than the intended page content. If, however, another search engine was used to look for the same image, the proper content was delivered.
For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, without the malicious redirect.
So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
The attackers do not appear to be doing this based on any referrer that contains the word ‘image’, because sites such as images.websense.com, or other image search sites that contain that word, do not produce the same results. It appears that the attacker is targetting certain image search engines, and obfuscating their activity in cases when the request is coming from anywhere else.