As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served only when the referrers for the request are certain high-profile image search sites.
In the course of researching this attack, Websense Security Labs discovered that when searching with one of these high-profile sites for images that reside on another site, attempting to view one of the images would provide malicious content rather than the intended page content. If, however, another search engine was used to look for the same image, the proper content was delivered.
For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, without the malicious redirect.
So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
The attackers do not appear to be doing this based on any referrer that contains the word 'image', because sites such as images.websense.com, or other image search sites that contain that word, do not produce the same results. It appears that the attacker is targetting certain image search engines, and obfuscating their activity in cases when the request is coming from anywhere else.
As an example, here is a screenshot of an image from a site found through images.google.com with sending of referrer information enabled in Firefox:
And here is another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code.
The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered.
An additional interesting fact about this case is that it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content.
Security Researcher: Evelyn Scidmore