You are here

Google is not warning its users of its role in one of largest cyber-security breaches ever on the Net

USA Today broke a much under-appreciated and potentially blockbuster Internet security breach story: "Google searchers could end up with a new type of bug." Kudos to Byron Acohido and Jon Swartz, who reported it in USA Today, and also blogged on it at, a site for their book "Zero Day Threat" which defines a Zero day Threat as "a threat so new that no viable protections against it exists." 

  • In a nutshell, the article and blog post explain how cybercrook hackers have figured out how to use and leverage Google's search engine results "to spread spam, and carry out scams. Typically it also lets the attacker embed a keystroke logger, which collects and transmits your passwords and any other sensitive data you type online."
  • This new cyber scam ring is expected to spread rapidly, increasing from a "few dozen major websites" today, to  "hundreds of high-profile websites" in the next few weeks.
  • " March alone... security researchers found several hundred thousand corrupted Web pages returned in common Google search queries."

Why this is a big deal:

  • First, for hackers and cybercrooks, cracking Google's system, even indirectly like this, is the motherlode; Google is the ultimate viral distribution mechanism to reach more Internet users faster than any other Internet vehicle.  For example:
    • Over 65% of Americans, and over 75% of Europeans use Google, meaning roughly 700 miilion users world wide are open and vulnerable to this new and growing data-security breach daily.
    • Google partners with over a million websites globally (90% share) making Google by far the best search engine to target, because Google can spread the scam several times faster and broader than smaller search engines like Yahoo, Microsoft, or 
    • In addition, Google-DoubleClick serve hundreds of thousands of advertisers -- over 90% of advertisers advertising online.  
      • There simply is not a better Internet vehicle for scammers to ride and leverage than Google.
  • Second, Google has not warned its seven hundred million odd users -- in any way -- that they currently are at increased and serious risk of identity theft, phishing and other cyber-scams because cyber-crooks have devised a new and ingenius way to "ride" Google search results to reach and scam unsuspecting Google users who think they are safe and secure. 
  • Third, the reason for Google not informing their users is the conflict of interest in their advertising business model. Google does not get paid by users. Google gets paid by advertisers and websites who do not want to sully their brands online by having Google identify which of its website clients and which advertising has been infected and are the source for these new rapidly spreading cyber-scams. Google also does not want to discourage searching in any way, because they get paid only when users search.
    • Google claims their business is based on user trust and that it would never do anything to undermine that trust.
    • Well in this instance, it is clear that there is a growing pernicious scam riding on Google search results and Google is keeping it all hush hush because it doesn't want to hurt its own business, or hurt its real paying clients: website content providers and advertisers.
    • In this situation, Google users are like tech bubble investors who were burned by trusting that investment banking research was looking out for their investor interests and not companies' financial interests.  
      • And like then, there are no disclaimers on Google's home page that the financial interests of websites/advertisers -- come before users' interests.
      • In other words, there is no "User Beware" warning on Google's website.
  • Fourth, Google claims its "open" systems are secure. The problem here is that the hackers have figured out an "open source" Javascript method to turn Google's "open" search engine into the ultimate viral carrier, a modern day "typhoid Larry."
    • As the leading proponent of "openness" (open source software, open access, opensocial, etc.) Google is understandably concerned about the bad PR for "openness" from such a pernicious "open source" hacking method and scam being carried and enabled by Google's "openness."  

Bottom line:

Everyone should be surprised and dismayed that Google has not warned its users of their new and serious vulnerability to this pernicious and fast-growing cyber-scam threat.

  • At a minimum, if Google worked for, or cared about, its users, Google would warn them on their home page to avoid clicking on the sites or webpages that Google in fact knows to be infected and unsafe
  • It certainly seems as if Google is putting Google's interests, and the interests of Google's website/advertiser clients -- ahead of the interests of users.
  • Given the carnage that identity theft and other fraud can cause, and given Google's repeated claims to work for users, Google's actions in response to this serious problem do not inspire trust.

As we all appreciate, ignorance can indeed be bliss, at least for a time, as people have learned from the sub-prime mortgage mess -- what you don't know can hurt you.