Blackhat SEO poisoning topping the charts

Filed Under: Malware, SophosLabs

With the wealth of information we have published concerning blackhat search engine optimisation (SEO), hopefully the bulk of Naked Security readers are more than familiar with the perils of searching for what may be considered 'hot' keywords. (* For a quick background on SEO, and how it is used by malware authors, see the quick guide at the foot of this post!)

Yes, that's right readers. Anyone keen to find leaked videos of Miley Cyrus, pictures of Jennifer Lopez or Kim Kardashian or investigate 'if Justin Bieber really is black' is just asking for trouble. (Actual search terms extracted from data received whilst writing this post.)

As we revealed last year, it is straightforward for the bad guys to keep up with hot, trending items, thanks to services such as Google Trends. However, it is important to remember that this is not the end of the story. SEO poisoning is not limited to just the hot or risque topics.

Back in October 2009, we wrote about how the attackers were using topics of an educational theme, designed to trap students and teachers searching for information and resources. These very same subtle tactics are still working today.

As it happens, our own product line has reached the heady heights of being SEO-worthy.

Yesterday afternoon I noticed a poisoned term which made me chuckle. Incoming data revealed a Mal/SEORed-A detection on an SEO pages constructed by one of the recent kits we have been tracking. Looking at the URL reveals the topic the user was searching for:

hxxp://[removed]/ecd.php?q=ws1000-appliance&page=7

The 'WS1000 appliance' search term refers to one of the Sophos web appliance (SWA) models! So a user searching for information on our web appliances was thankfully sitting behind one of them, enabling us to thwart the attack by blocking the initial redirect as Mal/SEORed-A. Were they not already a Sophos customer, they would have been subjected to the usual scareware onslaught, courtesy of a redirect to:

hxxp://[removed].cz.cc/windows-antivirus/

Irony aside, this simply reflects how effective blackhat SEO attacks actually are. This is evident from the chart below which summarises the top malware detections we have blocked on our customer web appliances (May 20th - May 25th). As you can see, blackhat SEO accounts for over 30% of all detections.

So what can users do to protect themselves? Clearly, being sensible or careful with what you search for is no use.

  • Users need to take care to review the links provided by the search engines, and think before they click.
  • Ensure the filtering options provided by your chosen search engine are enabled.
  • Most importantly, ensure you have layered protection in place, with effective content scanning and URL filtering focused on blocking such attacks at multiple levels.

Of course, there are other tricks and tools users may use (for example, browser plug-ins that mask the HTTP referrer), but the above tips provide some simple, common sense measures to help ensure your networks are better defended against SEO driven attacks.

* Quick guide to Search Engine Optimisation

Blackhat search engine optimisation (SEO) techniques describe the process by which individuals trick the search engines into ranking one of their malicious web pages high up in the search engine result listings.

These techniques have been used aggressively by malware authors because they provide a very effective way of controlling user web traffic:

  • use a kit to create the keyword-rich web SEO pages on popular topics
  • search engine bots then index these pages
  • users searching for these topics end up with links to the rogue SEO pages high up in the search engine results
  • user clicks on one of the rogue links
  • the SEO kit immediately redirects the user to the malicious web site

For more details, take a look at the technical paper we published last year.

Alternatively, you can watch a YouTube video illustrating an SEO attack in action:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, , , , ,

You might like

9 Responses to Blackhat SEO poisoning topping the charts

  1. Ethan · 1248 days ago

    This showed up in my Facebook newsfeed, but even after reading some of it, I understand nothing.

  2. I consider myself moderately techie, and this article was hard to read and harder to understand.

    • Fraser Howard · 1248 days ago

      I have updated the post to include a brief guide to blackhat search engine optimisation, including a video of how these attacks work.

      Hopefully this will clarify things for you. Further details are included some of the links provided within the post.

  3. kristina · 1248 days ago

    Sorry, but I think the heavy use of terminology unfamiliar to many non-techie users rendered this post pretty unintelligible. In other words, "what?"

    Thanks for what you do. (Or try to do in any case) ;)

  4. Ryan · 1247 days ago

    Excellent article, thanks for keeping up the fight!

  5. Jeremy · 1247 days ago

    I'm sure Google will fix the cloaking issues soon. It's a big thing these days.

  6. Emma Coakes · 1243 days ago

    It's difficult for people writing about a very technical subject to get information across without confusing newbies. Not everything can be delivered in soup format, sometimes the meal has to be chewed. This article is a good starting point to gain deeper understanding of the subject. You open up a second screen and cross refer the bits you don't understand.

    In the old days it was called study.

    • Jon · 739 days ago

      Heh, heh...yes, Emma, amazing that people can't can't be bothered to either decide this topic isn't for them and not comment, or try and figure out what it's talking about. I'm afraid we're only on the small tip of the iceberg for PWMYs...

      (People Who Must Yap)

  7. Lew · 974 days ago

    It appears to me that the article is unnecessarily convoluted.
    Short version: bad people fool all-powerful megalith GOOGLE into putting nefarious web sites at top of popular trending web search results thereby increasing probability that surfers will click on said sites of evil. Once there, web site presents itself as benevolent helper, lulling surfer into false sense of security. It's like a horror movie when you (the viewer) are yelling at the screen: DON'T OPEN THAT DOOR!
    Lesson is: do NOT download anything that looks too good to be true.
    If you do, then for gosh sakes, DO NOT RUN IT.
    If you do run it, then you are responsible for whatever shenanigans ensue.

    How's that for simple?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.