There is an interesting case that I want to share with you.
I am not sure if you guys are aware of it but last year researchers at Google released a paper at the Usenix conference titled “The Ghost in the Browser”.
The paper outlined research efforts at Google that spanned several months analyzing websites, their content, and the amount of malicious code discovered within the sites.
It was discovered that the URLs that Google generate as search results, a big number of those are malicious and it might harm the user’s computer. To keep its users away from such malicious URLs, Google start flagging these websites, by posting a warning sign; this site may harm your computer.
There is a big probability that if you are using Google search engine, you might have came across such scenario. There is a similar scenario that I came across and I would like to share it with you.
I read this on Suman kumar’s blog that Google has flagged Canon India website canon.co.in as potential malicious; Canon India’s Website is an Attack Site?
Google Search Result
I did a search for canon.co.in using Google, found out that it has been flagged as harmful and there is a warning against visiting it.
I ignore this warning, and click on the URL; it took me to another page explaining clearly that this site harmful and you can access it at your own risk but there is no way Google will let you in.
This could be real dangerous situation for those legitimate websites, doing business on-line. I don’t think there are many people willing to visit these websites by ignoring Google warning. Now let’s have a look at the solutions offered by various web application security companies for such situations.
I have Finjan installed in my computer for safe browsing.According to Finjan
The page canon.co.in was not available for scanning, but another page in the same domain canon.co.in/contactCanonsales.asp had been scanned and is safe for browsing (see the green flag).
Scanning canon.co.in using URL Analysis at Finjan’s website results in URL currently unavailable
HackAlert™ is a site monitoring service from Armorize Technologies.
HackAlert identifies malicious code injection on web applications and let’s you know instantly about hijacking attempts. I scan the complete website canon.co.in using HackAlert and find out that out of total 89 URLs that canon.co.in have, only one is suspicious.It has defined it as suspicious because there are 4 suspicious links pointing to it.
These links are just suspicious and not executable (else HackAlert would mark them Malicious) so I took a chance by “copy & paste” one of the link in my browser, and here is what I get.
I click on “why was this site blocked?” and it did get a detail report.
Alright Google and HackAlert did a good job to warm me against visiting http://www.canon.co.in as it has links pointing to netcfg9.ru and it has been detected with malware.
Let’s see the results for more tools.
According to McAfee Site Advisor, it is clean and green.
Link Scanner even congratulate for not finding any exploits
Trend Micro says this site is known to them as non-malicious.
It’s a good example of how legitimate sites can be hacked and weaponized to distribute malware to the visitors.The worst case scenario is when the website owner is informed about such security breach by their customers who find out about this while trying to access the website. Google has done a good job by flagging these websites but it doesn’t notify the website owner. Among the other tools I have analyzed so far, HackAlert was able to detect the Malicious URL and if you are monitoring your website using HackAlert it does send an e-mail or SMS notification to you.