• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Malware – SEO Poisoning Spam

November 20, 2012Tony Perez

24
SHARES
FacebookTwitterSubscribe

Lately, we’ve been seeing a lot of SEO poisoning cases and felt it necessary to spend a little more time explaining them.

SEO (Search Engine Optimization) is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and undoubtedly have become an SEO expert. If you’re not familiar with SEO, here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process. Ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc. then you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits. If you’re an ecommerce site, this equates to purchases. And if you’re a services company, this often equates to new clients. The idea is simple and highly effective. What is even better is that most search engines like Bing, Yahoo, and Google offer set criteria designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Unfortunately, you’re not the only one who knows this. Today, SEO spam is one of the top five attacks we’re seeing on the web, and it’s quickly pushing its way up to number one. SEO attacks becoming so prevalent, we felt the need to do some homework to better understand them.

In the process we found a great paper by Sophos from 2010 and a great video by Chris Larson of Bluecoat.

In the video Chris explains why SEO attacks are so valuable to attackers:

  • Tons of traffic = lots of potential victims.
  • Users are in “explore mode”
  • Element of Trust
  • Built-in hackability
  • A lot of clutter

I found both the document and video very interesting. The Sophos report shares how popular drive-by-downloads were in 2010, specifically for fake antivirus programs. In it however, they make a very good point about why SEO attacks are leveraging existing sites. Although the document is dated, the comment is still important:

By hosting the SEO attack within a legitimate site, the attackers are able to piggyback on the reputation of that site, making it harder for the search engines to identify and remove the rogue links.

If you then watch the video, you hear Chris talk about how easy it was identifying SEP (search engine poisoning) attacks a few years back. They often maintained very similar characteristics:

  • Large scale – links farms = wide coverage and high score
  • Very active
  • Easy to find “dangerous searches”

The challenge with that is how SEP has evolved. In our own experience, it is no longer this simple, and the majority of the SEP attacks revolve around pharmaceutical injections. A recent study actually discusses why the pharmaceutical affiliate marketing model has become so effective and highly coveted with blackhats today. If you’re wondering why, it’s because of how economically rewarding it is. That’s a post for another day though.

The good news is that principles of these SEP attacks are still the same today. In 2010 Sophos described the following:

At the heart of the SEO attack is the ability to feed search engine crawlers content to index and redirect users to malicious sites.

Today that is still key, but their methods have evolved. We’re seeing highly complex malware injections that are intelligent by being able to adapt to incoming traffic. Many are targeting the search engine IPs like Bing and Google, while others are being wrapped into conditional logic that only presents itself when specific conditions are met, and yet others are being tied into Command and Control nodes that are dictating what the site should do on visit.

More and more of them however are integrating themselves into the Pharmaceutical affiliate model as described above. What is perhaps most interesting about this is that those sites are rarely distributing drive-by-download payloads. Instead they are being maintained in pristine condition with no other anomalies other than the improper redirection.

We are also seeing no real preference on the brand or traffic of the site. In fact it appears that they are more than content with low-hanging fruit than they are in penetrating a high-ranking site with a well-known brand. This we find exceptionally interesting.

Many have undoubtedly experienced the impact of these SEP attacks. They often lead to the inevitable warning by Google, “This site may be compromised!” or “Something’s not right here!” We wrote a post describing these warnings earlier this year.

Unfortunately, there is no real solution to this problem. The threat landscape in which most websites live is just too large and most website owners really don’t care about it. That’s probably today’s biggest issue.

So where does that leave things today?

If you have any questions or comments about this post please leave a comment or send us an email at info@sucuri.net.

24
SHARES
FacebookTwitterSubscribe

Categories: Website SecurityTags: Black Hat Tactics, Google, SEO Spam

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions

Comments

  1. frydmancom

    November 21, 2012

    We experienced one of these where the site was fine but then the Google links for the site showed up as links to male apendage enhancement sites. Not great for a health charity site. We traced it to a hacked htaccess file after looking at all the usual WordPress suspects! Now that’s on our checklist for odd happenings. If we can’t work it out, we send it to Securi!

    • Tony Perez

      November 21, 2012

      That’s awesome that you found it. The .htaccess files are always a good place to start. Check out my last post too as it wasn’t in the .htaccess but in the index.php file: https://blog.sucuri.net/2012/11/website-malware-sep-attack-spam-link-farm.html

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.