Website Malware – SEO Poisoning Spam

Lately, we’ve been seeing a lot of SEO poisoning cases and felt it necessary to spend a little more time explaining them.

SEO (Search Engine Optimization) is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and undoubtedly have become an SEO expert. If you’re not familiar with SEO, here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process. Ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc. then you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits. If you’re an ecommerce site, this equates to purchases. And if you’re a services company, this often equates to new clients. The idea is simple and highly effective. What is even better is that most search engines like Bing, Yahoo, and Google offer set criteria designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Unfortunately, you’re not the only one who knows this. Today, SEO spam is one of the top five attacks we’re seeing on the web, and it’s quickly pushing its way up to number one. SEO attacks becoming so prevalent, we felt the need to do some homework to better understand them.

In the process we found a great paper by Sophos from 2010 and a great video by Chris Larson of Bluecoat.

In the video Chris explains why SEO attacks are so valuable to attackers:

• Tons of traffic = lots of potential victims.
• Users are in “explore mode”
• Element of Trust
• Built-in hackability
• A lot of clutter

I found both the document and video very interesting. The Sophos report shares how popular drive-by-downloads were in 2010, specifically for fake antivirus programs. In it however, they make a very good point about why SEO attacks are leveraging existing sites. Although the document is dated, the comment is still important:

By hosting the SEO attack within a legitimate site, the attackers are able to piggyback on the reputation of that site, making it harder for the search engines to identify and remove the rogue links.

If you then watch the video, you hear Chris talk about how easy it was identifying SEP (search engine poisoning) attacks a few years back. They often maintained very similar characteristics:

• Large scale – links farms = wide coverage and high score
• Very active
• Easy to find “dangerous searches”

The challenge with that is how SEP has evolved. In our own experience, it is no longer this simple, and the majority of the SEP attacks revolve around pharmaceutical injections. A recent study actually discusses why the pharmaceutical affiliate marketing model has become so effective and highly coveted with blackhats today. If you’re wondering why, it’s because of how economically rewarding it is. That’s a post for another day though.

The good news is that principles of these SEP attacks are still the same today. In 2010 Sophos described the following:

At the heart of the SEO attack is the ability to feed search engine crawlers content to index and redirect users to malicious sites.

Today that is still key, but their methods have evolved. We’re seeing highly complex malware injections that are intelligent by being able to adapt to incoming traffic. Many are targeting the search engine IPs like Bing and Google, while others are being wrapped into conditional logic that only presents itself when specific conditions are met, and yet others are being tied into Command and Control nodes that are dictating what the site should do on visit.

More and more of them however are integrating themselves into the Pharmaceutical affiliate model as described above. What is perhaps most interesting about this is that those sites are rarely distributing drive-by-download payloads. Instead they are being maintained in pristine condition with no other anomalies other than the improper redirection.

We are also seeing no real preference on the brand or traffic of the site. In fact it appears that they are more than content with low-hanging fruit than they are in penetrating a high-ranking site with a well-known brand. This we find exceptionally interesting.

Many have undoubtedly experienced the impact of these SEP attacks. They often lead to the inevitable warning by Google, “This site may be compromised!” or “Something’s not right here!” We wrote a post describing these warnings earlier this year.

Unfortunately, there is no real solution to this problem. The threat landscape in which most websites live is just too large and most website owners really don’t care about it. That’s probably today’s biggest issue.

So where does that leave things today?

If you have any questions or comments about this post please leave a comment or send us an email at info@sucuri.net.