Is this the resurgence of Blackhat SEO?

At the start of 2011, blackhat SEO was very much alive and kicking, and was being aggressively used to infect users with malware [1,2]. By May 2011, our detection for the malicious redirect used in these attacks, Mal/SEORed, was dominating our threat stats.

Note: For readers that want a a quick recap on how blackhat SEO works, please see the end of this post.

Since then, blackhat SEO seems to have become much less of a problem. In fact it practically dropped out of the top threat charts. Why? The most likely reason is probably the simplest – that the links to poisoned web pages were no longer being presented to users in their search engine results. This was most likely due to improvements in how effective the search engines were at filtering out the rogue links, or at least ranking them far lower in the results.

In recent weeks however, I have seen a notable rise in the volume of Mal/SEORed reports we are seeing. Does that indicate there there really is a resurgence in blackhat SEO? Or simply a case of people stumbling across legacy poisoned pages, that present no real threat today? In this post, I will take a look at some recent poisoned SEO pages that we have blocked in the field in order to attempt to answer these questions.

So, are these SEO pages actually a risk to users today?

In a word, yes. I checked several of the recent poisoned SEO pages we have blocked, and arriving at each via a search engine resulted in getting redirected to a malicious scareware site. The usual scareware social engineering is used to trick users into installing ‘Windows Secure Kit 2011’.

If you download and run the fake security application, the familiar SecurityShield GUI is displayed.

From this point onwards, the scareware is pretty aggressive in trying to persuade the user to actually cough up and register the product. Attempts to run any application, or browse to any web site are blocked, with fake errors messages displayed instead.

The scareware installed via these SEO chains is current, not some legacy payload from mid-2011. The executables I have seen are using recent obfuscation methods (seen elsewhere over the last 24-48 hours).

So we can conclude that the current SEO pages are part of active attacks infecting users with current malware.

As to whether the pages present a real risk, to answer that you need to evaluate how well the various steps in the attack are defended. Sophos customers are protected from these attacks on several levels:

  • we block poisoned SEO pages as Mal/SEORed-A
  • we block scareware landing page as Mal/FakeAvJs-A
  • we proactively detect scareware payload as Mal/FakeAV-PY
  • the scareware sites being used have been blacklisted since early January

So with the correct layered protection in place, users are well protected from these blackhat SEO attacks.

What about the SEO kits being used to manage these attacks?

I was then interested to find out more about how these attacks are being orchestrated. How current are the SEO kits being used? How are they compromising host web sites? Previously we have described in detail how these kits operate.

Taking a closer look at some of the sites hosting some of the recent SEO pages revealed some interesting things. Firstly, looking at the URLs hosting the SEO kit, we can speculate that WordPress (and WordPress plugin) vulnerabilities are being exploited in order to compromise the sites.


Rather ironically, one of the SEO kits found was hosted on a site selling WordPress plugin software!

All incoming page requests are directed to the central SEO kit with the use of a .htaccess file.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /wp-content/path/path/filename.php?q=$1 [L]

As you can see, all (non-file/directory) requests are directed to the central PHP script, which then determines whether the request is from a search engine crawler or from a user clicking through from a search engine. Crawlers are fed the keyword-rich content for indexing. Users are redirected to the scareware site. Simple.

The timestamps of some of the PHP scripts I have managed to get hold of suggest they were uploaded to (or updated on) the host web sites quite recently (late 2011). Some have very recent timestamps – late January 2012.

So it would seem that the PHP scripts are not forgotten leftovers from early 2011 activity. They are active, current kits being used for scareware distribution.

The worst bit (for site admins at least) – remote access shells…

As if having a SEO kit uploaded to your site is not bad enough, there is a sting in the tail for site admins. In most of the sites I checked, there was a remote access shell uploaded to the site as well. These generic toolkits provide the attacker with a remote access console from where they can perform pretty much any administrative task.

This includes sniffing through all the scripts on your site, and perhaps even accessing your MySQL or MSSQL databases! Remote access shells are bad.

A screenshot of one of the remote access shells found alongside the SEO kits is shown below.

I have highlighted the remote access shell (underlined in blue) and the SEO kit (underlined in red). As you can see, the SEO kit has a pretty recent timestamp (Jan 22nd 2012).

To conclude this post I will reiterate my answers to the questions I posed at the start. From what I have seen, there does seem to have been increased activity in blackhat SEO in recent weeks. The increase in Mal/SEORed threat reports that we have seen reflects an increase in users clicking through to the poisoned pages from search engine results. This implies the attackers are having increased success in getting their poisoned pages ranked sufficiently high up in the search engine results.

Right now, the payload appears to be scareware still. It will be interesting to track these attacks closely and see if we see a corresponding rise in the volume of scareware threat reports.