SEO techniques and malware: Don’t move or I’ll redirect!

Search engine optimisation (SEO) techniques have received a fair of attention recently, thanks mostly to their use in fake AV distribution. In this blog, I will describe an interesting piece of JavaScript I came across whilst investigating some SEO pages.

In a typical SEO attack, when the victim clicks through to the SEO page from the search engine results, they are immediately redirected to the target site (be that designed to infect them with malware or show them spammy services/goods). This is normally achieved using one of the following methods:

  • 302 redirect
  • JavaScript driven redirect
  • Flash (ActionScript) driven redirect
  • META redirect

The SEO pages I was looking at this week used an interesting JavaScript for the redirection. The script is shown below:

As you can see, the redirection is a little more obscure than the usual simplistic location.href=_some_url_! The script adds an event listener to the document using addEventListener or attachEvent for Mozilla et al. and IE respectively.

Upon the mousemove event firing, the exit() function is called, incrementing a counter. Once that counter hits 3, an anchor element is added to the page, and the redirection is delivered. A curious exercise in making the simple overly complex and cumbersome! Seems like the use of “hiding in plain sight” tactics in an attempt to evade detection.

The target of the redirect is changing (of course), but thus far the SEO efforts seem to have been focused on shifting software and other products.

In addition to blocking access to the target spammy pages via URL filtering, the malicious redirect script is also blocked as Troj/JSRedir-BU by Sophos products.