The Web's most dangerous keywords to search for

The Web's most dangerous keywords to search for

Summary: Which is the most dangerous keyword to search for using public search engines these days? It's "screensavers" with a maximum risk of 59.

TOPICS: Browser, Security

Which is the most dangerous keyword to search for using public search engines these days? It's "screensavers" with a maximum risk of 59.1 percent, according to McAfee's recently released report "The Web's Most Dangerous Search Terms".

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee's research concludes that lyrics and anything that includes 'free" has the highest risk percentage of exposing users to malware and fraudulent web sites. The research further states that the category with the safest risk profile are health-related search terms.

Here are more findings:

  • The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky
  • The categories with the worst average risk profile were also lyrics sites (5.1%) and “free” sites (7.3%)
  • The categories with the safest risk profile were health-related search terms and searches concerning the recent economic crisis. The maximum risk on a single page of queries on the economy was 3.5% and only 0.5% risky across all results. Similarly, even the worst page for health queries had just 4.0% risky sites and just 0.4% risk overall

This isn't the first time McAfee is attempting to assess the risk percentage of particular search terms, as the company did similar studies in 2006 and 2007. And whereas the research attempts to raise awareness on malicious practices applied by cybercriminals, it also has the potential to leave a lot of people with a false feeling of security since it's basically scratching the surface of a very dynamic problem.

With cybecriminals anticipating the dynamic nature of Web 2.0, they too, adapt dynamically to the changing environment. In the context of blackhat SEO, like true marketers they apply basic mass marketing keyword practices, which may get wrongly interpreted as the use of particular keywords only.

In reality, mass marketing from blackhat SEO perspective means a very diverse set of topics usually consisting of hundreds of thousands of syndicated news/video/blog titles aggregated over a recent period of time, all operated by the same group. Therefore, the search term "screensavers" or any related phrases is among the hundreds of thousands of others part of a single malware campaign.

In October, 2008, cybercriminals taking advantage of blackhat SEO for malicious purposes, started syndicating popular Google Trends keywords in real-time in order to occupy the top ten search results with hundreds of automatically registered Windows Live Spaces serving Zlob variants as fake codecs back then. This dynamic approach not only undermines any static lists of "most dangerous keywords to search for", but also, tipped more cybercriminals on the basics of event-based blackhat SEO campaigns serving malware.

For instance, in an attempt to hijack the anticipated traffic of people searching for the Twitter XSS worm StalkDaily/Mikeyy, blackhat SEO campaigns using related keywords started appearing in public search engines serving scareware. At least that's what appeared at the first place, since a much more in-depth research revealed that the Mikeyy keywords are part of a diverse blackhat SEO farm. The same Ukrainian group took advantage of the swine flu buzz and launched another blackhat SEO campaign earlier this month, again consisting of swine flu related keywords in between the diverse set of topics that they've generated on the hundreds of domains participating.

Furthermore, taking into consideration the fact that nowadays legitimate and compromised web sites serve more exploits and malware than the purely malicious ones (77% of Websites that carry malicious code are legitimate sites; Thousands of legitimate sites SQL injected to serve IE exploit; Over 1.5 million pages affected by the recent SQL injection attacks; Gumblar - approximately 17,000 compromised sites), a compromised web site's index would undermine any such static lists of dangerous keywords to search for based on the diverse content that it's providing.

So, which is the most dangerous keyword to search for on the Web? That's a variable which cybercriminals play with at any moment.

Topics: Browser, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Have they tried "Free porns" ???? [nt]

    • click here


  • Not true

    There are both OSX and Linux rootkits and trojans in the wild. Many porn sites are now using social engineering to trick Mac users into installing a trojan disgused as a codec. Malware is becoming cross platform and is much more complex than simple viruses and worms.
    • FUD again

      It didn't take the MS shills long to spread the FUD again. The chances of
      getting into trouble with Macs and linux are almost zero while that for
      WINDOWS is almost a certainty. That is the fact.
      • Another Linux shill bites the dust...

        "The chances of getting into trouble with Macs and linux are almost zero while that for WINDOWS is almost a certainty."

        Almost a certainty? For everyone? For the majority? No. Are Linux and Macs *currently* less likely to be infected if they skinny dip in the cesspool that is the web?

        Yes. But then AVG Free and its ilk are remarkably effective in protecting even the biggest idiot that might be running Windows 98.

        Hyperbole. The enemy of accuracy.
        • Shill?

          Um... Shills are usually in the employ of the side with the deepest pockets, like Microsoft and the international Communist conspiracy.
          • Au contraire

            Shills are the accomplices of the con artits targetting the deep pockets.
        • AVG no longer supports Windows 98.

          I just tried updating my folks little-used Windows 98 computer, and AVG informed me that they no longer support Windows 98. I'm either going to have to scrounge up some more RAM (it's a quarter gig shy of Ubuntu's minimum recomendation of 384Meg) for the contraption or cajole 'em into buying a new box.

          Or maybe one of the extra-light weight Linuxes like Puppy would work for 'em.

          "Microsoft delenda est!"
          • Re: AVG no longer supports Windows 98

            Try Avast. I use it both on Win 98 & Win XP.
          • There are other free AV's out there

            I don't know if any support W98, one would just have to visit them and see. I have been using Comodo lately.
          • Very few free AVs

            Comodo AV is not good at all, Avast is a much better choice. Avira Antivir is another good one, though I hear that the update servers for the free version are very slow. AVG has gotten to be too much of a resource hog to use on a slow computer, even if it did support Win98. I speak from experience, as a former AVG Free user.
          • Avast is about all...

            that is worth trying - Avira may be good on newer computers but is too slow on the trigger to trust on older machines.

            I've personally seen that happen during one .bat attack where Avira was a little too slow to recognize the injection zip package.
          • If your parents are retired...

            ...check with your local AARP or equivalent, there are groups that donate free computers with Ubuntu to seniors.
            My brother in law recently laughed at me when I told him of my experience with an old HP laptop w/ Ubuntu I put together for my cousin. He donates his time to a local church group that recycles old computers for the elderly and he said they do this all the time. They often get bulk shipments from corporations replacing gear and since they can save the recycling fee by donating they can save money (I couldn't figure this out at the time since shipping would be the most expensive element, but I guess you have to ship them for recycling too).
        • Ha, you think AV protects you ?

          It may reduce your chances but it NEVER fully protects you. There is no such thing as foolproof security.
          Alan Smithie
          • Of course not

            You have to be sensible about where you browse, and never, ever let anything install on your system unless you are sure of the source.

            Of course I have had only one computer get infected and that was a new-to-me surplus Windows 2000 box which got infected through the instant messaging process while downloading the anti-virus. . . One of the reasons I don't use Windows on my own PCs any more. I've been trying to talk 'em unto using Ubuntu at work, but using Microsoft enhances our budget, even though has been cut a few million dollars this year.

            "Microsoft delenda est!"
        • Another Winbloze fanboy eats crow...

          Here's the extent of the threats to Ubuntu. The vast majority of 'em are years old...

          Now if they're wrong, then please tell us. You'd be doing us a world of favor instead of the fear mongering like you jealous Winbloze fanboys like to portray.
          Wintel BSOD
        • Not a bad post for someone with no clue.

          Come back and post something when you actually try modern linux for the first time and actually get infected.

          What's tiresome is these Windows users with no Linux experience and all the answers. (they probably never burned a working, bootable iso disk)

          BTW, keep checking your bank and credit card statements - that's the only way to know if you are infected. Don't expect an anouncement about a keylogger or rootkit from AVG, Symmantec or any other AV company.

          I had 2 keyloggers running on XP and the AV's had absolutely no clue.
      • psybot

        Looks like the psybot worm for linux just blew your whole argument out of the water. The worst part is that linux doesn't have antivirus software so you have no way of telling if you are infected, where as on Microsoft Windows you have several layers of protection from the OS, file permissions, antivirus, and built-in firewall. As an additional bonus Microsoft Windows will also prompt you with a big warning before installing any software. On linux you have no protection and its easier to actually get infected because it leaves the telnet port open.
        Loverock Davidson
        • re:psybot

          The psybot worm is aimed at routers, cable
          modems, and routers. Yes, the targeted models
          are using a version of Linux, but it does not
          exploit any vulnerability in the software. It
          will brute force any weak telnet and ssh login

          As far as Linux not having any antivirus
          software, you are wrong. Symantec, Kaspersky,
          Antivir, AVG, Panda, and many others offer Linux

          Any modern Linux distribution does not leave the
          "telnet port open" by default and hasn't for
          • It does leave SSH on

            and since it's a brute force attack on weak passwords it really doesn't matter if it's on SSH or telnet. So what was the argument again?

            It infects routers running Linux, yes?