RSS Reveals Malware Injections

There are multiple different ways to detect invisible malware on a website:

  • You can scrutinize the HTML code of web pages.
  • Use external scanners like SiteCheck or UnmaskParasites.
  • Get alerts from anti-viruses or search engines (both in search results and via their Webmaster Tools).
  • Try to open web pages with different User-Agents and check for changes.
  • Sometimes it is even helpful to open a page using a script blocker (the disabled scripts may hide spammy links injected into web pages).

It’s not a definitive list and sometimes we see some interesting ways that malware reveals itself. This time I’ll show how a fake WordPress plugin that was injecting invisible links to a porn site unmasked itself in via RSS feeds.


Read More

Combat Blackhat SEO Infections with SEO Insights

Blackhat SEO spam is the plague of the internet, and the big search engines take it seriously.

One of the worst spam tactics on the internet is becoming more common every day: innocent websites are hacked, and their best pages begin linking to spam. These Blackhat SEO spam tactics are fighting for expensive, high-competition keywords like: viagra, payday loans, casino… and lately a lot of high fashion spam.

This is a topic we write about often – it is rampant, after all. This time we’re going to dig into why it happens, what makes your site such an attractive target, and the SEO tools that can help you.


Read More

Spotting Malicious Injections in Otherwise Benign Code

Being able to spot suspicious code, and then determine whether it is benign or malicious is a very important skill for a security researcher. Every day we scan through megabytes of HTML, JS and PHP. It’s quite easy to miss something bad, especially when it doesn’t visually stick out and follows patterns of a legitimate code.

Let’s take a look at this screenshot:

seo-position-report .net  - Good or Bad?

seo-position-report .net – Good or Bad?

We can see two scripts at the bottom of the HTML code. The scripts are not obfuscated, have variables with clear names (seoJsHost, amount, orderId) and comments. The structure and placement of the scripts resembles Google’s scripts (e.g. Google Analytics). And we can see that the first script loads a JS file from “seo-position-report .net/SEO-report/js/seoTrac.js“, which suggests that it’s some kind of SEO tracker.

So far so good. There are many little-known third-party trackers — it’s probably one of those. It’s typical for them to load additional scripts from their sites.

The second script most likely configures the code loaded by the first script and prepares it to work with the current site. Quite plausible. So nothing suspicious — let’s move on to the next file…

Stop! Not so fast. You should not trust the code that you see for the first time. Let’s dig deeper, what exactly does the seoTrac.js do? Here is the complete source code:

window.location='http://js.seo-position-report.net';

It’s a page redirection code. It always redirects visitors to that js.seo-position-report.net page. This is not an expected behavior for a script that positions itself as a tracker. Moreover, this redirect prevents execution of the second script.

Now it’s clear that both scripts are simply masking the unwanted redirect and can be considered malicious, regardless of what that js.seo-position-report.net does. By the way, currently it redirects to various ad networks which point to scam ads, adultfriendfinder, and sometimes to parked domains.

Don’t Judge a Book by It’s Cover

What looked quite benign at the first glance, ended up being malicious after a more thorough analysis. So don’t be fooled by the look of code. Scrutinize everything that you can’t recognize.

As a website owner or webmaster, you should be familiar with all the third-party scripts that your website uses so that you could easily spot anything that doesn’t belong. I realize, that it may be not trivial for modern sites that use dozens of different scripts. No problem, you need to employ some sort of integrity control for your site. For example, use a version control system, or simply compare (e.g. diff) server files with canonical backup copies. This way you’ll eliminate the “human factor” and won’t need to rely on your code reading skills only.

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

Essay SEO SPAM

The problem is that this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO SPAM to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing SPAM):

Read More

The Story of Clip:rect – A Black Hat SEO Trick

We regularly write about Black Hat SEO hacks here. Such hacks help hackers monetize their access to compromised sites by incorporating them into massive schemes that try to manipulate search engine results for queries that potential clients may be interested in. Think of gray areas like: payday loans, pharmaceuticals, counterfeit drugs and luxury goods.

As you know, search ranking is all about the number and quality of inbound links to your site. To promote a web page, spammers need to place a link to them on as many sites as possible. This is why injecting spammy links into hacked sites is an important step for most Black Hat SEO schemes.

You can’t simply add links to someone else’s pages and expect that the site owner will tolerate it, so hackers make such links invisible to normal site visitors and visible to search engine bots.

There are many tricks they can be used to hide links. It can be a sophisticated server-side cloaking (detecting search bots by IP/UA and injecting the SPAM on the fly), or a simple HTML trick like setting styles to display:none. In this post, we’ll talk about something in the middle, a trick that involves deceptive JavaScript and creative use of CSS.


Read More

Website Malware – SEO Poisoning

We’ve been seeing a lot of cases of SEO poisoning as of late and felt it was time to spend a little more time explaining it. That’s what this post will be about.

SEO, short for Search Engine Optimization is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and has undoubtedly become an SEO expert. If you’re not familiar with SEO here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process and ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc… you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits, and if you’re an e-commerce site often equates to purchases, and if you’re a services company often equates to new clients. The idea is simple and highly effective, and what is even better is that most search engines like Bing, Yahoo and Google offer set criteria’s designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Read More