Les vulnérabilités du VPN vous préoccupent ? Découvrez comment profiter de notre solution de migration VPN qui inclut 60 jours de service gratuit.

Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Recherche sur la sécurité

New Firefox Addon to Protect Against Malicious Spam SEO

image
JULIEN SOBRIER
juillet 30, 2010 - 4 Min de lecture

There are currently no ultimate solutions for end-users to protect themselves against fake AV pages, fake videos and other malicious spam SEO: antivirus have a low detection rate, denylist (such as Google Safe Browsing) lag behind the creation of new malicious domains.

In a previous post, I pointed out the vast majority of malicious spam SEO sites check the referrer string of the visitor. If this string does not include bing.com, yahoo.com or google.com, the user is not redirected to a malicious page.

We are releasing a Firefox add-on that uses this trick to protect Firefox users against most spam SEO threats, including fake AV and fake Video pages. This plugin works with Firefox 3.x. Click on the image below to install it. It is called "Search Engine Security".
 

 
Install Search Engine Security add-on for Firefox 3.x

 

Image
Search Engine Security add-on installed


How it works

This Firefox add-on handles Bing, Yahoo and Google search engines, in all languages. Normally, if a user clicks on a link within search engine results, the HTTP request to the external site contains a Referrer string from the search engine within the HTTP header. For example, if a user searches for "this is a test" in Google, any request to a search result will include the following Referrer:

 

 

 

Referer: http://www.google.com?q=this+is+a+test&hl=en&safe=active

For these requests, the add-on changes the Referrer header to a different value. This means that the requested page does not know that a given request came from a Google, Yahoo or Bing search. This is critical as malicious SEO pages only deliver malicious content (fake AV, Flash/Java updates, codecs, etc.) when requests come from the SEO results. Changing the Referer header breaks the attack.

The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.

 

 

 

 

 

Install Search Engine Security add-on for Firefox 3.x

 


Configuration

You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:

 

 

 

 

 

 

Image
Search Engine Security preferences

 

 

 
 


-Protect

Select the search engines for which you wish to enable protection.

- Use Referer header

Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.

- Modify User-Agent (NEW in 1.0.8)

Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.

This option provides additional protection against malicious spam SEO.

-Allowlist

Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the allowlist. This will disable the add-on for this website.

If the URL matches any of the elements in the allowlist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the allowlist. For example, http://www.expert-exchange.com/ can be allowed by adding:

 

  • http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
  • expert-exchange.com/ (matches any subdomain)
  • expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
  • etc.


Notification (NEW in 1.0.4)

A notification is shown on Bing, Yahoo, and Google to let users know whether the SES protection is enabled for this search engine. The notification is shown under the search input.

 

 

 

 

Image
Search Engine Security notification in Google search

 

 

Image
Search Engine Security notification in Bing search

 


If you find any problem with this add-on, please let me know at [email protected].

 

 

 

Install Search Engine Security add-on for Firefox 3.x


-- Julien

 

 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

dots pattern

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.