Millions of Internet searches are conducted each day on popular search engines by people all around the world. Most of us will only look at the top two or three pages returned and so search engine optimisation (SEO) is used by companies to get their legitimate websites to the top of the listed results. In order to share what’s hot and what’s not, a number of major search engines provide a way to glimpse into the web’s query stream to discover the most popular search keywords or topics. Unfortunately, this is also a great way for cybercriminals to find where people are on the Internet, and they are using this information to conduct attacks.
Blackhat SEO, also known as malicious SEO poisoning, occurs when hackers manipulate search engine results to make their links appear higher than legitimate results. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites. SEO poisoning is an increasingly popular method of attack for cybercriminals, and one that shows they are using more sophisticated techniques. In the last year, attackers have poisoned search results on everything from celebrity news such as the recent death of actor Corey Haim, to Google Wave invitations.
SEO poisoning can be used to drive traffic to an intentionally created malicious site, or it can take advantage of existing and popular web properties by using cross site scripting (XSS) on a legitimate site. One common SEO poisoning method used today is to take already existing web pages where a file has been uploaded to redirect the user to a malicious site. As the site is well known and often been around for years, it appears legitimate when it comes up at the top of the search results. The cybercriminals exploit the input and display vulnerability on these sites. This malicious site could be anything from advertising cut-price Viagra or offering to ‘scan’ your computer for viruses.
By creating automated systems to monitor the top Google searches, hackers are able to drive traffic to their own sites using highly popular search terms.
Let’s look at an example of how closely the cybercriminals follow hot trending topics. In the lead up to Apple’s official iPad announcement in January, there was a great deal of anticipation and speculation over the internet. Websense Security Labs discovered that search terms relating to the new Apple Tablet announcement had become the target for blackhat SEO poisoning attacks before the product was even launched. As people become interested in finding more information on the product, related search terms gained momentum. As they did so, blackhat SEO attacks began to climb up the search result listings.
Clicking on the rogue results lead to a fake antivirus site that contained a malicious file. The program reports non-existent infections and disturbs the user with persistent pop-ups. In order to ‘clean’ the system, the rogue program is offered for a price. While we were able to provide protection to our customers immediately, at the time of our analysis the file on the rogue AV site had a characteristically low (30%) detection rate, as AV companies struggled to catch up with these attacks in real time.
SEO poisoning attacks are successful because they move in quickly and move on just as fast. As soon as a malicious campaign is recognised and removed from search results, the attackers can automatically redirect their botnets to a new, timely search term. The average number of malicious sites in any Google search using hot/trending topics (as ranked by Google), by the end of last year (2009), stood at 13.7% for the top 100 results. This means that for every 100 results – around 14 of the links suggested are likely to lead to a malicious site.
These ongoing campaigns have a proven formula and are likely to gain steam during 2010. This, in turn, may cause a trust issue in search results among consumers unless the search providers change the way they document and present links. But if you can’t trust your search results, then who can you trust? Unfortunately, without dynamic web protection from high-risk threats through real-time security updates and increased visibility into modern web security risks, the answer is likely to be unwelcome. A bit like SEO poisoning.
Patrik Runald joined Websense in October 2009 as senior manager, security research, in the Websense Security Labs. In this role, he is responsible for the effectiveness of the security research team and collaboration with the global Websense Security Labs teams. Runald has been in the security industry for over 14 years, working with malware and related threats throughout his career. He joins Websense from F-Secure, where for 10 years he worked hands-on with evolving web-based threats and breaking exploits.
Websense is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue, Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. For further information please visit www.infosec.co.uk.