Hackers bypass Google security for cyber reconnaissance

Imperva CTO Amachai Shulman says they are using browsers and Dork search queries to generate more than 80,000 daily queries, identify attack targets and automatically build pictures of exploitable server resources. As searches are conducted using botnets, and not the hacker's IP address, the attacker's identity remains concealed, he adds. "Hackers have become experts at using Google to create a map of hackable targets on the web. This cyber reconnaissance allows them to be more productive when it comes to targeting attacks that may lead to contaminated web sites, data theft, data modification, or even a compromise of company servers," says Shulman. He recommends that search engine providers start looking for unusual and suspicious queries, such as those known to be part of public dorks-databases, or queries that look for sensitive files. As for companies worried about sensitive data being stolen or websites infected, he wars that they need to be aware that, with the efficiency and indexing of corporate information, vulnerable applications are likely at some point to be exposed. "While attackers are mapping out these targets, it is essential that organisations prepare against exploits tailored against these vulnerabilities," he advises. "This can be done by deploying runtime application layer security controls." For him that means a web application firewall to detect and block attempts at exploiting applications vulnerabilities; and reputation-based controls to block attacks from known malicious sources. As Imperva's 2011 H1 web application attack report (WAAR) showed, attacks are automated, so knowing that a request is generated by an automated process and probably coming from a known active botnet source, should be flagged as malicious.