Today, we’ll expand on our previous post which described SEO poisoning. Hackers are using this relatively new technique to lure users into visiting malicious websites with a vengeance.

SEO poisoning is a method by which hackers can get a malicious link or URL, indexed by a search engine. When users search for terms that match the context of the malicious link, unsuspecting web surfers are often shown malicious links which divert them to harmful websites that can attempt ID theft, install malware, or worse. SEO poisoning is definitely a growing trend. It is becoming a vector of choice for hackers.

How Does It Happen?
A malicious hacker will try to find a vulnerability in the website (XSS and SQLi, for example) or hosting infrastructure which will allow upload of malicious code or modification of the behavior of the web application. Once this is achieved the hacker can insert malicious URLs into the web page which will be indexed by search engines such as Google.

Hackers can compromise a website using trojans or spyware installed on local computers which are used to make FTP connections to the website. This has been the case with the “Gumblar” variety of attacks, the Media-Temple attacks and the generic “Fake Anti-Virus” attacks which have also been escalating in the past few months. Some of the websites involved with the Fake Anti-Virus attacks link to x3y.ru, a3h.ru, before-life.ru, snoreflash.ru and may more.

Analysis
The screen shot below illustrates a recent instance of hackers using popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query was most likely extracted from Google Trends.

Miss Universe 2010 search results being SEO poisoned

We can see that search results for Miss Universe 2010 tickets have been SEO poisoned by malicious hackers. The query results clearly show URLs which redirect users to Fake Anti-Virus websites. Unfortunately, not all of these URLs are were blacklisted by Google leading users to visit an unsafe website with no warning whatsoever.

Combating SEO Poisoning
Hackers now have access to point-and-click SEO poisoning toolkits. Some of which are increasingly sophisticated.

The basic steps that these tookits perform are detailed below:

• Find unsecured websites.
• Exploit vulnerabilities and install the entire toolkit (similar to Beef).
• Scrape Google trends, or contact Command and Control servers to find hot search topics.
• Use Google or another search engine to download legitimate content associated with the search terms, copy the content to malicious pages, which GoogleBot then indexes when it visits the infected site.
• Search engines direct users to fake Anti-Virus or infected sites.

This problem is growing everyday. It is an attractive attack vector for malicious individuals, and hence continues to be exploited often. We will be keeping a close eye on trends related to SEO poisoning.

Till next time…

Report, Security google trends, hijacking, miss universe 2010, seo, seo poisoning

Search engines like Google drive the majority of traffic to websites. Therefore, it is important for webmasters to appear high on search rankings and prominently in search results. To this affect website owners often spend large sums of money on Search Engine Optimization (SEO) strategies: using the right keywords, getting linked to by popular sites, getting a dialogue about the website going on good forums and much more.

Overview

The popularity, relevance and importance of a website, which determines where in the search rankings it should appear, can simplistically, thought to be represented by one magic number: the Google PageRank. This article is not about how to calculate, improve or tune your Google PageRank.

This article will discuss how a hacker can break into your site, without you knowing and reduce your Google PageRank, thereby making your website plummet from the top rankings in search engines, making your business lose money and visibility.

An Example

On May 7th, 2010, we reviewed a compromise of one of many sites we scan on a daily basis. This site was attacked by a hacker who had exploited a vulnerability in the web application used to host the website. Once the hacker had identified the specific vulnerability, which was WordPress based, he injected spam links into the source code of the pages on the site.

All the spam links are nicely placed after the main body of the legitimate HTML portion and even starts with a comment tag “<!– google –>”!

Malicious spam links injected into the website.

Conclusion

The affect of this spam link injection was that the PageRank of the legitimate site was potentially reduced since many links on the website now pointed to spam or malicious pages. This could result in lower positioning in search results as displayed on various search engines. This is yet another case where webmasters and administrators, who are already overloaded with many tasks, were either unaware or could not pay attention to the security breach.

At stopthehacker.com we are always available to help. If you have suffered from a breach of this kind and would like to share your experience, please contact us.

Report, Security google, link spam, pagerank, seo, seo poisoning

Hackers are using a relatively new technique to lure users into visiting malicious websites. SEO poisoning is a method by which hackers can get a malicious link or URL, indexed by a search engine. When users search for terms that match the context of the malicious link, unsuspecting web surfers are often served malicious links which can divert them to harmful websites that commit all kinds of nasty deeds, ranging from ID theft to installing malware.

Overview

SEO poisoning is not new, but it is definitely a growing trend. It is becoming a vector of choice for hackers. The procedure to commit this crime is actually quite similar to the method of code-injection. First, find a vulnerability in the website or hosting infrastructure which will allow a hacker to upload malicious code or modify the behavior of the web application. Once this is achieved a hacker can insert URLs into a web page which will be indexed by search engines such as Google.

Below, we provide a screen shot to illustrate that hackers are reverse-engineering popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query is extracted from Google Trends and results clearly show URLs which redirect users to fake anti-virus websites. Unfortunately, few of these URLs are even blacklisted by Google and hence users do not even have the luxury of making a decision to visit an unsafe website or not.

An example of SEO poisoning using a search query from Google Trends.

Experiment Goal

The aim of this experiment is to identify URLs which are using SEO poisoning.

Methodology

Search results were collected from Google Trends. Once the search queries were collected, searches were performed via Google and the first  10 results were collected for each search query.

Each search result was analyzed to find whether the URLs displayed in the search results contained the complete search query in the exact same order. Also, it was determined whether the structure of the URL matched patterns of SEO poisoning. Furthermore, the IP associated with the URL was looked up on Spamcop to verify if the IP had been used for sending spam or had participated in zombie networks. Finally, using a geo-location API from IPinfo DB, the country of origin for the URL was determined. The test was conducted on March 23, 2010. Google trend results for the period of January 1, 2010 to March 22, 2010 were used for searches.

Highlights

• 59.5% of search results returned by Google had URLs which contained the entire search string in the same exact order.
• 26.07% of search results returned by Google had URLs which matched SEO poisoning patterns.
• 14.1% of search results returned by Google had URLs which matched SEO poisoning patterns and contained the entire search string in the same exact order.
• Only one IP seemed to be involved in spam related activity.
• Some of the most popular locations for websites returned as search results are: US, Canada, Netherlands, Germany, UK, France, Czech Republic, Australia and Singapore.

Note: 10,559 search results were analyzed.

Percentage of sites from different countries affected by SEO poisoning.

Countries which seem to have the highest number of SEO poisoned links indexed by Google:

• 86.1% of URLs from Singapore based sites.
• 74% of URLs from Netherlands based sites.
• 30.5% of URLs from UK based sites.
• 25.1% of URLs from Germany based sites.
• 12.6% of URLs from Canada based sites.
• 12.42% of URLs from US based sites.

Fluctuation in the number of SEO poisoned results.

Note the fluctuations in the number of search results which are SEO poisoned.

Conclusion

It is clear that even the world’s most popular search engine company is not secure from SEO poisoning. It is not for the lack of trying though, but instead of the myriad number of ways hackers can break into a website and take advantage of it. We have seen that large numbers of search results match SEO poisoning patterns. Furthermore, it is clear that hackers are injecting malicious URLs into compromised websites to latch onto Google trends.

Report, Security google, poison, seo, trends