Regular readers will have seen numerous recent SophosLabs blogs describing how attackers are poisoning search engine results in order to hit victims with malware [2,4]. In recent months, these type of Search Engine Optimisation (SEO) attacks have become a route through which fake anti-virus malware is being distributed .
One thing common to the attacks is that the SEO pages are hosted within legitimate sites. This makes it harder for the search engines to identify the rogue pages, and exclude them from search results. It also lets the SEO pages piggyback on the reputation of that host site, which may help boost the search engine ranking. As an example, the map below shows the global distribution of sites that SophosLabs have seen over the last week which are (unknowingly) hosting one specific SEO attack.
As you can see, in this case the problem is not limited to a single hosting provider. Sites hosted by numerous hosting providers have been compromised, and are being used to host the SEO pages that lure victims to malware.
I am pleased to say that today, SophosLabs have published a new technical paper that describes how these SEO attacks are being managed, by analyzing a selection of the kits that are being used by the attackers.
Any comments are most welcome.