Malicious Cyber Actors Use Advanced Search Techniques

DHS-FBI-NCTC-GoogleDorking

Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.

» (U) In October 2013, unidentified attackers used Google dorking to find websites running vulnerable versions of a proprietary Internet message board software product, according to security researchers. After searching for vulnerable software identifiers, the attackers compromised 35,000 websites and were able to create new administrator accounts.

» (U) In August 2011, unidentified actors used Google dorking to locate a vulnerable File Transfer Protocol server at an identified US university and compromised the personally identifiable information of approximately 43,000 faculty, staff, students, and alumni, according to an information technology security firm.

» (U) The Diggity Project is a free online tool suite that enables users to automate Google dork queries. It contains both offensive and defensive tools and over 1,600 pre-made dork queries that leverage advanced search operators.

(U) Suggested measures for website administrators to protect sensitive information include:

» (U//FOUO) Minimize putting sensitive information on the web. If you must put sensitive information on the web, ensure it is password protected and encrypted.
» (U//FOUO) Use tools such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made dork queries to find discoverable proprietary information and website vulnerabilities.
» (U//FOUO) Ensure sensitive websites are not indexed in search engines. GoogleUSPER provides webmaster tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index. These can be found at: https://www.google.com/webmasters/tools/ home?hl=en.
» (U//FOUO) Use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of the web server.
» (U//FOUO) Test your website using a web vulnerability scanner.