The researchers have created new utilities, GoogleDiggity and Bing Diggity, which can both be automated -- and that use the Google Hacking Database and File Signature Database to crawl designated Web domains looking for vulnerabilities and create real-time alerts when new, vulnerable website content appears. The two researchers have also developed techniques, using tools like Yahoo Site Explorer, to identify outgoing malicious links on legitimate websites that could direct unwitting visitors to malicious sites.
The researchers say that while techniques for leveraging search engines to do reconnaissance and data discovery have long been known, public knowledge of them hasn't kept pace with the development of those platforms by Google, Microsoft, Yahoo, and others. Google Alerts can be used to identify vulnerable Web pages as soon as they are indexed by these search engines' crawlers, while newer features like Google Phonebook, Google Health, and Google Updates can be used to sweeten social engineering attacks or extend the reach of searches to Twitter and other platforms.
Malicious hackers and online cybercriminal groups have already proved themselves adept at leveraging search trend data and SEO (search engine optimization) techniques to put links to malware-infected sites before the eyes of unwitting Web browsers. The fact that malicious hackers have already launched massive, automated attacks that leverage one or more freely available tools from the major search engine providers has gotten less attention. That trend, however, is bound to continue, as the diversity of data available online and indexed by firms such as Microsoft and Google continues to grow by leaps and bounds with little oversight.
Paul F. Roberts is a senior analyst at The 451 Group.