Skip to main content

Google: IP spoofing on the rise

Google Safe Browsing/IP Spoofing
Image used with permission by copyright holder

Google has been running its Safe Browsing service for about four years, with a goal towards providing an open service that Web browsing applications can check against to see if a particular site is suspected of hosting malware or phishing scams. Now, Google has published an analysis (PDF) of more than 160 million Web pages on more than 8 million sites to look for trends in how malware is distributed—and finds that while social engineering tricks play a small role and plug-in and browser exploits are still common, malware distributors are increasingly turning to IP spoofing in hopes of avoiding detection.

Overall, Google finds that malware distributors rely on exploiting a vulnerability in a browser or a plug-in to install malware on users’ systems in what are known as drive-by attacks: typically, all users need to do is load a Web with the malicious code, and their systems are compromised. Google’s Safe Browsing initiative has automated tools that scan sites looking for these attempted exploits, and adds them to its database of questionable and dangerous sites if they’re found.

However, malware authors are increasingly turning to IP spoofing to avoid detection. In this case, the technique doesn’t involve using router trickery in order to make traffic from one source look like it comes from another; instead, the malware distributors try to detect connections from Google’s Safe Browsing survey (and services like it) and serve perfectly safe, innocuous Web pages to those services…saving its nasty payload for visitors they believe to be real users.

“The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal Web page visitors,” wrote Lucas Ballard and Niels Provos in the Google Online Security blog. “Over the years, we have seen more malicious sites engaging in IP cloaking.”

Google emphasizes it is constantly adjusting its scanners with “state-of-the-art malware detection” to compensate for IP cloaking techniques, but notes malware distributors and security services will always be in an arms race…with security folks most often trying to play catch-up.

Google also notes that, with only a couple exceptions, browser and plug-in vulnerabilities used by malware distributors are only used for a comparatively short period of time: as soon as a new vulnerability is discovered—or an old one is patched—malware authors quickly move on to another exploit.

Google also notes that while getting people to install malware using social engineering—tricking people into downloading dangerous software, usually by promising a plug-in or antivirus package—is still common and on the rise, it’s employed by only about two percent of sites that distribute malware.

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Google is creating ‘internet surveillance DRM,’ critics say
Google Drive in Chrome on a MacBook.

Google is working on a system to fight fraud and make the internet “more private and safe,” but it’s just come in for some blistering criticism from software engineers behind the Vivaldi web browser. According to them, it’s a “dangerous” idea that could lead to greater surveillance of ordinary people.

The subject of this kerfuffle is Google’s Web Environment Integrity project, or WEI. Its purpose, Google says, is to stymy bad actors by providing a piece of code on a website that can be checked with a trusted attestor (such as Google) to ensure the visitor is who they say they are. That could prevent cheating in games, for example, or ensure that ads are being properly served to readers.

Read more
Why is Google cutting web access for some of its workers?
Google Logo

Google is preventing some of its staff from using the internet at work, according to sources in contact with CNBC.

Having revolutionized the web with its powerful search engine before making vast sums of money off online ads, the idea of a company like Google preventing some of its own workers from accessing the internet may at first seem somewhat odd, but there is of course sound reasoning behind it.

Read more
All of the internet now belongs to Google’s AI
ChatGPT versus Google on smartphones.

Google's latest update to its privacy policy will make it so that the company has free range to scrape the web for any content that can benefit building and improving its AI tools.

“Google uses information to improve our services and to develop new products, features, and technologies that benefit our users and the public,” the new Google policy says. “For example, we use publicly available information to help train Google’s AI models and build products and features like Google Translate, Bard, and Cloud AI capabilities.”

Read more