A recent study from F-Secure found that the instance of SEO (Search Engine Optimization) poisoning attacks is growing, and they are becoming more dangerous. Yet, many end users and some network admins do not even know about this threat. How can you protect your organization, without crippling users' ability to conduct Internet searches? That's what we address in this article.
The Popularity of Search Engines
The amount of information on the web is vast, and without search engines, we would have a hard time finding what we need. We have come a long way since the first Internet search tool, Archie, and its offshoots, Veronica and Jughead. Those gave way to "crawler" type search engines, starting with WebCrawler and followed by Magellan, Excite, AltaVista and Yahoo!. Since 2000, Google has dominated the search scene, although it has recently been challenged by Microsoft's Bing (the successor to MSN Search).
With all these search engines out there, returning results of millions of searches every day, they make a tantalizing target for attackers. One of the most popular ways to launch an attack or spread malware is to lure unsuspecting web surfers to a web site that contains the malicious code. What better way to get more traffic to the site of your drive-by download than to manipulate the search engines so that your URLs replace the links to legitimate sites at the top of the lists? In addition to its ability to take users directly to malicious sites, SEO poisoning can be used with cross-site scripting on a popular legitimate site.
How Search Engine Optimization Works
SEO is used by legitimate web sites to increase the amount of traffic to their sites. When a user searches for a keyword or phrase, he/she often doesn't look beyond the first page or two of returns. The higher up on the list your web site falls, the more likely it is that the searcher will visit your site. The term SEO has been around since the late 90s, when web designers first started paying attention to how they could get their sites at the top of the search engines' lists. Early on, it was easy to manipulate search results by inserting popular keywords in a web page's metadata, but search engine algorithms became more sophisticated to prevent this.
Today, search engines keep their ranking criteria a closely guarded secret. Google reportedly uses more than 200 factors. Search Engine Optimizers use several different methods, such as:
- Cross linking between pages of the same web site
- "Keyword stuffing" (which means repeating popular key words in the meta tags or in the content itself, often in a form that's hidden from the site visitors by coloring it to blend with the background or by placing it behind images). Web pages that have been "stuffed" are sometimes referred to as "poisoned pages."
- "Comment spam" or "spamdexing" (which consists of posting links to a site in the comments of many blogs)
- "Link farming" (a group of websites that all link to every other site in the group)
Search engines publish guidelines for acceptable methods to improve a site's ranking. Using methods that fall outside those guidelines is considered unscrupulous. Attempting to game the search engine algorithms is sometimes called "Blackhat SEO" when such unsavory tactics are used to drive more traffic to a site. It becomes SEO poisoning when that site is a malicious site.
SEO poisoning is part of what might be thought of as Attack 2.0; that is, it's part of an increasingly sophisticated cadre of techniques being used by the bad guys. The poisoners usually focus on the most popular search terms, in order to target the most victims. It's estimated that more than 10 percent of search results for Google's highest-ranked web sites are malicious sites. Recently, SEO attacks have been targeting searches for information about the Apple iPad, due to the popularity of that topic. But now that those attacks have become known, the SEO attackers will quickly move on to the next hot topic - that ability is key to their success.
Attackers are now using automated tools that make it easier for them to use the Blackhat SEO methods to exploit the big news stories of the day. Adding insult to injury, often these are stories that deal with some sort of tragedy: the Tiger Woods debacle, the recent earthquakes, the suicide bombing in Moscow, celebrity deaths, etc. Anything that gets a lot of hits becomes fair game for the malware distributors.
Many of the SEO "kits" used by attackers (applications, usually written as PHP scripts, that generate poisoned pages to redirect site visitors to malicious sites) can differentiate between a regular user visiting a web site directly, someone visiting it from a search link, and a search engine crawler. Then users are redirected to the malicious site. A recent research paper from Sophos, titled Poisoned Search Results: How Hackers have Automated Search Engine Poisoning Attacks to Distribute Malware, describes the automation process. You can download the PDF here.
How do attackers compromise the legitimate web sites to insert their redirection tools? In some cases, they exploit vulnerabilities in the content management system. In other cases, they may compromise the site(s) via vulnerabilities in the hosting web server. After the attacker is able to penetrate the site, he uploads and installs the SEO application. This application generates SEO pages dynamically and extracts text from the search results, using any major search engine. The latest "hot" keywords can be found in such resources as Google Trends. Metadata is extracted from the search engine results and added to the links on SEO pages. The generated content can also be cached by the SEO kit.
The SEO page links to other SEO pages so they'll be indexed, and/or links to the SEO pages are posted on other legitimate web sites in forums, blog comments sections, guest books, social networking status updates, and so forth. This gets the pages indexed by the search engine crawlers.
How to Protect Against SEO Attacks
How can your organization protect against SEO attacks? The biggest problem is that traditional protections against web-based attacks, such as URL filtering, may not be effective because of the use of legitimate web sites to redirect visitors. Content inspection and filtering and payload detection works better, to prevent the malicious content from reaching the user.
Educate users about some of the common tactics used by SEO attackers. For example, poisoned pages may redirect users to "scareware portals," where they will be assailed with fake virus alerts and prompts to install a bogus anti-virus program that is really malicious code. Users should also be cautioned, when seeking news about "hot" topics, not to rely on search engines but to go directly to reputable news sources by typing the news outlet's URL directly into the browser. Other tips include enabling browser security features, especially if visiting a website that you don't know and trust, and never clicking "Yes" or "OK" when suddenly asked to install anti-virus or malware protection. Admins should make sure that users' operating systems have all security updates installed and that all machines are running anti-virus and anti-malware software.
Companies hosting their own sites should monitor and secure their web servers to ensure they don't become conduits for these attacks, as an organization's reputation can be damaged when their sites become involved in SEO schemes. Note in addition to redirecting visitors from your site to a malware site, attackers may do things such as inserting inaccurate key words or meta tags into your site pages and make it appear that you are using black hat SEO techniques. This can result in sanctions against your site from the major search engines, such as lowering of your page rank. Thus it's vitally important that your web servers and web applications be properly configured to prevent cross-scripting and other attacks used by SEO attackers.