• SEO Poisoning: Hijacking Miss Universe 2010

    Today, we’ll expand on our previous post which described SEO poisoning. Hackers are using this relatively new technique to lure users into visiting malicious websites with a vengeance.

    SEO poisoning is a method by which hackers can get a malicious link or URL, indexed by a search engine. When users search for terms that match the context of the malicious link, unsuspecting web surfers are often shown malicious links which divert them to harmful websites that can attempt ID theft, install malware, or worse. SEO poisoning is definitely a growing trend. It is becoming a vector of choice for hackers.

    How Does It Happen?
    A malicious hacker will try to find a vulnerability in the website (XSS and SQLi, for example) or hosting infrastructure which will allow upload of malicious code or modification of the behavior of the web application. Once this is achieved the hacker can insert malicious URLs into the web page which will be indexed by search engines such as Google.

    Hackers can compromise a website using trojans or spyware installed on local computers which are used to make FTP connections to the website. This has been the case with the “Gumblar” variety of attacks, the Media-Temple attacks and the generic “Fake Anti-Virus” attacks which have also been escalating in the past few months. Some of the websites involved with the Fake Anti-Virus attacks link to x3y.ru, a3h.ru, before-life.ru, snoreflash.ru and may more.

    Analysis
    The screen shot below illustrates a recent instance of hackers using popular keywords from Google search trends to exploit unsuspecting users. In this particular example, the search query was most likely extracted from Google Trends.

    Miss Universe 2010 search results being SEO poisoned

    Miss Universe 2010 search results being SEO poisoned

    We can see that search results for Miss Universe 2010 tickets have been SEO poisoned by malicious hackers. The query results clearly show URLs which redirect users to Fake Anti-Virus websites. Unfortunately, not all of these URLs are were blacklisted by Google leading users to visit an unsafe website with no warning whatsoever.

    Combating SEO Poisoning
    Hackers now have access to point-and-click SEO poisoning toolkits. Some of which are increasingly sophisticated.

    The basic steps that these tookits perform are detailed below:

    • Find unsecured websites.
    • Exploit vulnerabilities and install the entire toolkit (similar to Beef).
    • Scrape Google trends, or contact Command and Control servers to find hot search topics.
    • Use Google or another search engine to download legitimate content associated with the search terms, copy the content to malicious pages, which GoogleBot then indexes when it visits the infected site.
    • Search engines direct users to fake Anti-Virus or infected sites.

    This problem is growing everyday. It is an attractive attack vector for malicious individuals, and hence continues to be exploited often. We will be keeping a close eye on trends related to SEO poisoning.

    Till next time…