With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.
Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in “phishing” e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.
Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc.s search engine and landed in the top slot on Microsoft Corp.s Bing, ahead of even the credit unions real site.
Google Inc., which handles two-thirds of U.S. search requests, didnt fall into Stickleys trap. His fake site never got higher than Googles sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.
But even Google acknowledges it isnt foolproof.
Some recession-driven scams have been slipping into Googles search results, although that number is “very, very few,” said Jason Morrison, a Google search quality engineer.
On one kind of fraudulent site, phony articles claim that participants can make thousands of dollars a month simply for posting links to certain Web sites. Often, the victims are asked to pay money for startup materials that never arrive, or bank account information is requested for payment purposes.
“As soon as we notice anything like it, well adapt, but its kind of like a game of Whac-A-Mole,” he said. “We cant remove every single scam from the Internet. Its just impossible.”
In fact, Google said Tuesday it is suing a company for promising “work at home” programs through Web sites that look legitimate and pretend to be affiliated with Google.
Stickleys site wasnt malicious, but easily could have been. In the year and a half it was up, the 10,568 visitors were automatically redirected to the real credit union, and likely never knew they had passed through a fraudulent site.
“When youre using search engines, youve got to be diligent,” said Stickley, co-founder of TraceSecurity Inc. “You cant trust that just because its No. 2 or No. 1 that it really is. A phone book is actually probably a safer bet than a search engine.”
A Yahoo spokeswoman didnt respond to requests for comment. Microsoft said in a statement that Stickleys experiment showed that search results can be cluttered with junk, but the company insists Bing “is equipped to address” the problem. Stickleys link no longer appears in Bing.
The experiment convinced Credit Union of Southern California that it should protect itself by being more aggressive about buying domain names similar to its own. Domains generally cost a few hundred dollars to a few thousand dollars each – a pittance compared with a financial institutions potential liability or loss of goodwill if its customers are ripped off by a fake site.
“The test was hugely successful,” said Ray Rounds, the credit unions senior vice president of information services.
Stickleys manipulation illuminates the dark side of so-called search engine optimization. Its a legitimate tactic used by sites striving to boost their rankings – by designing them so search engines can capture information on them better.
But criminals can turn the tables to pump up fraudulent sites.
“You can do this on a very, very broad scale and have a ton of success,” Stickley said. “This shows theres a major, major risk out there.”