In a typical SEO attack, when the victim clicks through to the SEO page from the search engine results, they are immediately redirected to the target site (be that designed to infect them with malware or show them spammy services/goods). This is normally achieved using one of the following methods:
- 302 redirect
- Flash (ActionScript) driven redirect
- META redirect
As you can see, the redirection is a little more obscure than the usual simplistic
location.href=_some_url_! The script adds an event listener to the document using
attachEvent for Mozilla et al. and IE respectively.
mousemove event firing, the
exit() function is called, incrementing a counter. Once that counter hits 3, an anchor element is added to the page, and the redirection is delivered. A curious exercise in making the simple overly complex and cumbersome! Seems like the use of “hiding in plain sight” tactics in an attempt to evade detection.
The target of the redirect is changing (of course), but thus far the SEO efforts seem to have been focused on shifting software and other products.
In addition to blocking access to the target spammy pages via URL filtering, the malicious redirect script is also blocked as Troj/JSRedir-BU by Sophos products.