Google Groups could be the next breeding ground for phishing attacks on the Internet, according to the head of a Vancouver-based security vendor. But despite the emergence of thousands and thousands of malware-infected groups, MailChannels Corp. CEO Ken Simpson said the search giant is not taking the dangerous attacks seriously.
Unlike easy-to-identify URL comment spam, attackers are now using Google Groups to insert malware-infected links into seemingly legit discussion groups. Spammers can create a public Google group, have its contents get picked up on Google’s own search engine, and start affecting users within a matter of minutes.
“It’s part of a greater trend that has the attackers mixing spam in with legitimate Web traffic, in order to get past the content filters,” Simpson said.
The vast majority of anti-spam software is based on reputation information, he added, and is aimed at blocking the IP addresses of servers that typically send spam. He estimated that close to five per cent of spam traffic now comes from otherwise legitimate sources – with that number expected to increase in the near future.
James Quin, senior research analyst at London, Ont.-based Info-Tech Research Group, said that rising popularity of Google Groups, coupled with the fact that users are directed to the discussion groups by Google’s own search engine, creates a dangerous threat to Web surfers.
“If someone sets up a Google Group all about Labrador Retrievers, copies valid content from actual sites about that breed of dog, and fills it with malicious links, it’s going to appear very valid,” he said.
The fact that groups can be “churned and burned” so easily, he added, makes it a difficult for Google to keep up with the online criminals.
“I don’t know that it’s Google’s responsibility, as they only provide the infrastructure for these mail groups, but if a malicious group is reported, they should be taking definitive action to block the problem,” he said.
But according to Simpson, Google has failed to take the problem seriously even after groups have been publicly exposed as being malicious.
In MailChannels’ anti-spam blog (http://blog.mailchannels.com/2008/09/google-groups-distributing-malware.html), Simpson posted a link to a dangerous Google group directing users to a spyware-infected site. After mentioning the link on its blog and reporting the information to a variety of anti-spam mailing lists – which Simpson said are read by many key people at Google – the malicious group has yet to be taken offline.
“If Google was taking this seriously, it would have certainly removed the group by now and it would have written a filter to go and look for patterns in the group names that are being created,” he said.
The problem, Simpson said, is that Google has little to no economic motivation for dealing with the problem.
“There’s an impetus for Google to fight spam aimed at their own users – because you obviously wouldn’t use Gmail if it had a bad spam filter – but what does the company stand to gain economically from doing a really good job of getting ride of this malware,” he argued. “I know Google cares about this stuff, but caring doesn’t translate to organizational momentum.”
And for a problem that doesn’t seen to be going away anytime soon, keeping systems safe and secure will be top of mind for enterprise IT managers. Simpson said that the first line of defence for preventing malware downloads is to have good anti-virus software loaded onto every PC. On the spam prevention side, he added, a multi-layered solution that doesn’t rely on any one anti-spam vendor is the only effective way to combat constantly evolving online attacks.
“One vendor’s solutions will often dip in its effectiveness for a period of time, whereas another vendor will have strength during that period,” he said. “Combining multiple solutions can give you a very effective defence.”
In fact, security experts like Quin say, enterprises are often wasting their time trying to constantly educate their end-users to the latest attacks. “The number one thing businesses can do to protect themselves from this kind of threat is to block access,” he said.
He added that sites such as Google Groups, Facebook and MySpace offer little to no business value for most enterprise office staff and access should be blocked.