Website Malware – SEO Poisoning

We’ve been seeing a lot of cases of SEO poisoning as of late and felt it was time to spend a little more time explaining it. That’s what this post will be about.

SEO, short for Search Engine Optimization is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and has undoubtedly become an SEO expert. If you’re not familiar with SEO here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process and ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc… you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits, and if you’re an e-commerce site often equates to purchases, and if you’re a services company often equates to new clients. The idea is simple and highly effective, and what is even better is that most search engines like Bing, Yahoo and Google offer set criteria’s designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Unfortunately, contrary to popular belief, you’re not the only one that knows this. Today it makes up the top 5 attacks we’re seeing on the web and quickly pushing its way up to number 1. It is becoming so prevalent we felt the need to do some homework to understand it better.

In that process we found a great paper by Sophos going back to 2010 and a great video by Chris Larson of Bluecoat.

In the video Chris explains why those SEO attacks are so valuable to attackers:

  • Tons of traffic == lots of potential victims
  • Users are in “explore mode”
  • Element of Trust
  • Built-in hackability
  • A lot of clutter

I found both the document and video very interesting. The Sopho’s report goes back to 2010 and it’s fascinating to see how prevalent drive-by-downloads were, specifically for fake anti-virus. In it however they make a very good point about why SEO attacks are leveraging existing sites. Although the document is dated, the comment is still very relevant:

By hosting the SEO attack within a legitimate site, the attackers are able to piggyback on the reputation of that site, making it harder for the search engines to identify and remove the rogue links.

If you then watch the video you hear Chris talk to how easy identifying SEP (search engine poisoning) attacks were a few years back. They often maintained very similar characteristics:

  • Large Scale – links farms == wide coverage and high score
  • Very Active
  • Easy to find “dangerous searches”

The challenge with that is how SEP has evolved. In our own experience, it is no longer this simple, and the majority of the SEP attacks revolve around Pharmaceutical injections. A recent study actually discusses why the Pharmaceutical Affiliate Marketing model has become so effective and how highly coveted it is with Blackhats today. If you’re wondering why, it’s because of how economically rewarding it is. That’s a post for another day though.

The good news is that principles of these SEP attacks are still the same today. In 2010 Sopho’s described the following:

At the heart of the SEO attack is the ability to feed search engine crawlers content to index and redirect users to malicious sites.

Today that is still key, but their methods have evolved. Today we’re seeing highly complex malware injections that are intelligent and able to adapt to the incoming traffic. Many are targeting the Search Engine IPs like Bing and Google, others are being wrapped into conditional logic that only presents itself when specific conditions are met, yet others are being tied into Command and Control nodes that are dictating what the site should do on visit.

More and more of them however are integrating themselves into the Pharmaceutical affiliate model as described above. What is perhaps most interesting about this is that those sites are rarely distributing drive-by-download payloads, instead they are being maintained in pristine condition with no other anomalies other than the improper redirection.

We are also seeing no real preference on the brand or traffic of the site. In fact it appears that they are more than content with low-hanging fruit than they are penetrating a high-ranking site with a well-known brand. This we find exceptionally interesting.

Many have undoubtedly experienced the impact of these SEP attacks. They often lead to the inevitable warning by Google, “This site may be compromised!” or “Something’s not right here!” We wrote a post describing these warnings earlier this year.

Unfortunately, there is no real solution to this problem. The threat landscape in which most websites live is just too large and most website owners really don’t care about it. That’s probably today’s biggest issue.

So where does that leave things today?


If you have any questions or comments about this post please leave a comment or send us an email at info@sucuri.net.

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.