Is this the resurgence of Blackhat SEO?

Filed Under: Malware, SophosLabs

At the start of 2011, blackhat SEO was very much alive and kicking, and was being aggressively used to infect users with malware [1,2]. By May 2011, our detection for the malicious redirect used in these attacks, Mal/SEORed, was dominating our threat stats.

Note: For readers that want a a quick recap on how blackhat SEO works, please see the end of this post.

Since then, blackhat SEO seems to have become much less of a problem. In fact it practically dropped out of the top threat charts. Why? The most likely reason is probably the simplest - that the links to poisoned web pages were no longer being presented to users in their search engine results. This was most likely due to improvements in how effective the search engines were at filtering out the rogue links, or at least ranking them far lower in the results.

In recent weeks however, I have seen a notable rise in the volume of Mal/SEORed reports we are seeing. Does that indicate there there really is a resurgence in blackhat SEO? Or simply a case of people stumbling across legacy poisoned pages, that present no real threat today? In this post, I will take a look at some recent poisoned SEO pages that we have blocked in the field in order to attempt to answer these questions.

So, are these SEO pages actually a risk to users today?

In a word, yes. I checked several of the recent poisoned SEO pages we have blocked, and arriving at each via a search engine resulted in getting redirected to a malicious scareware site. The usual scareware social engineering is used to trick users into installing 'Windows Secure Kit 2011'.

If you download and run the fake security application, the familiar SecurityShield GUI is displayed.

From this point onwards, the scareware is pretty aggressive in trying to persuade the user to actually cough up and register the product. Attempts to run any application, or browse to any web site are blocked, with fake errors messages displayed instead.

The scareware installed via these SEO chains is current, not some legacy payload from mid-2011. The executables I have seen are using recent obfuscation methods (seen elsewhere over the last 24-48 hours).

So we can conclude that the current SEO pages are part of active attacks infecting users with current malware.

As to whether the pages present a real risk, to answer that you need to evaluate how well the various steps in the attack are defended. Sophos customers are protected from these attacks on several levels:

  • we block poisoned SEO pages as Mal/SEORed-A
  • we block scareware landing page as Mal/FakeAvJs-A
  • we proactively detect scareware payload as Mal/FakeAV-PY
  • the scareware sites being used have been blacklisted since early January

So with the correct layered protection in place, users are well protected from these blackhat SEO attacks.

What about the SEO kits being used to manage these attacks?

I was then interested to find out more about how these attacks are being orchestrated. How current are the SEO kits being used? How are they compromising host web sites? Previously we have described in detail how these kits operate.

Taking a closer look at some of the sites hosting some of the recent SEO pages revealed some interesting things. Firstly, looking at the URLs hosting the SEO kit, we can speculate that WordPress (and WordPress plugin) vulnerabilities are being exploited in order to compromise the sites.

[removed].com/wp-content/themes/...snip...
[removed].com/wp-content/plugins/...snip...
[removed].com.au/wp-content/gallery/...snip...
[removed].co.uk/wp-content/plugins/...snip...
[removed].com/wp-content/themes/...snip...
[removed].nl/wp-content/themes/...snip...
[removed].com/wp-content/plugins/akismet/...snip...
[removed].com/wp-content/themes/digg3/...snip...
[removed].com/blog/wp-content/...snip...
[removed].de/wp-content/plugins/...snip...

Rather ironically, one of the SEO kits found was hosted on a site selling WordPress plugin software!

All incoming page requests are directed to the central SEO kit with the use of a .htaccess file.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /wp-content/path/path/filename.php?q=$1 [L]

As you can see, all (non-file/directory) requests are directed to the central PHP script, which then determines whether the request is from a search engine crawler or from a user clicking through from a search engine. Crawlers are fed the keyword-rich content for indexing. Users are redirected to the scareware site. Simple.

The timestamps of some of the PHP scripts I have managed to get hold of suggest they were uploaded to (or updated on) the host web sites quite recently (late 2011). Some have very recent timestamps - late January 2012.

So it would seem that the PHP scripts are not forgotten leftovers from early 2011 activity. They are active, current kits being used for scareware distribution.

The worst bit (for site admins at least) - remote access shells...

As if having a SEO kit uploaded to your site is not bad enough, there is a sting in the tail for site admins. In most of the sites I checked, there was a remote access shell uploaded to the site as well. These generic toolkits provide the attacker with a remote access console from where they can perform pretty much any administrative task.

This includes sniffing through all the scripts on your site, and perhaps even accessing your MySQL or MSSQL databases! Remote access shells are bad.

A screenshot of one of the remote access shells found alongside the SEO kits is shown below.

I have highlighted the remote access shell (underlined in blue) and the SEO kit (underlined in red). As you can see, the SEO kit has a pretty recent timestamp (Jan 22nd 2012).

To conclude this post I will reiterate my answers to the questions I posed at the start. From what I have seen, there does seem to have been increased activity in blackhat SEO in recent weeks. The increase in Mal/SEORed threat reports that we have seen reflects an increase in users clicking through to the poisoned pages from search engine results. This implies the attackers are having increased success in getting their poisoned pages ranked sufficiently high up in the search engine results.

Right now, the payload appears to be scareware still. It will be interesting to track these attacks closely and see if we see a corresponding rise in the volume of scareware threat reports.

, , ,

You might like

5 Responses to Is this the resurgence of Blackhat SEO?

  1. Dennis Cox · 989 days ago

    WordPress.com could help in this arena if they wanted to. Spam comments that tell you your search engine ratings suck, and offering to install SEO kits that promise to help improve your site's standing are all too common.

    For anyone who's just a little suspiciuos, they are easy enough to spot, and delete. Akismet did a good job of flagging them as spam. And For a while there I was deleting two, or three a day. If the the folks at WordPress were to put a "report as malware" button on the dashboard, in addition to the ones that let you approve, or reject and delete, a comment, it would go a long way to improving security for beginniner bloggers who are still gullible enough to fall for those tricks.

  2. Bill · 988 days ago

    Good information, but I didn't see anything about how a user can avoid getting the infected once the Window Security Kit splashes onto their screen. Will the Cancel button do it? Will clicking the big red X do it? Or should users use the Task Manager to close the browser window? Or is it too late, and the infection is already onboard? Its good to warn everyone, but take the next step and tell everyone how to avoid and get rid of....

    • Fraser Howard · 988 days ago

      If you happen to hit one of these poisoned SEO pages and get redirected to the scareware site, do not fall for the social engineering tricking you into believing you have a problem. At this point, your machine will not be infected.

      Most of these pages will attempt to download the fake AV executable if you click on the page, so probably best to simply close down your browser.

      Better still, ensure you have good quality protection and URL filtering in place and you would never have got there in the first place :)

  3. rose · 957 days ago

    Thanks alot for the information but I nead more clearification if you don't mind, when Windows Secure Kit 2012 appeared on my screen I pressed start scanning and after it finished I pressed both remove all and cancel :( then box appeared to me asking if I want to run, download, or cancel and I pressed cancel, I download nothing, does this mean my computer is in safe and the Windows Secure Kit 2012 is not in my computer now?
    Thanks in advanced.

    • Fraser Howard · 941 days ago

      Yes, if you recognised the social engineering at the fake AV web page, and did not download and run the executable, you are fine.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.