Monday, August 16, 2010

SEO Poisoning Attack

A Look Inside How It Works

One of the biggest risks that users run across during their everyday Internet browsing at the moment is from what security researchers call search engine optimization poisoning or SEO poisoning. Criminal hackers are taking advantage of our blind trust in popular search engines such as Google and Bing to trick us into clicking into malicious links.

The bad guys use blackhat SEO techniques to boost the page rankings of their bogus sites. As these higher ranked sites start breaking into the top ten and top 20 results of a popular search term, users are lured into trusting the links.

Capitalizing on anything from the Haiti earthquake to Mel Gibson’s rants to the World Cup, these hackers use the links to bait users and then reel them in with malicious downloads. They unwittingly click into a malicious link due to their trust in the search engine. Channel Insider examines just how SEO poisoning is carried out by these bad guys and how common it is to see malicious links within legitimate search results.

Step 1: Compromise legitimate web sites
These will be used to form the foundation of the attack.

Step 2: Create SEO-friendly fake pages related to popular search topics on compromised sites
In the past year hackers have taken advantage of user curiosity about the Olympics, the Haiti earthquake, Corey Haim's death, the World Cup and Mel Gibson's recent craziness to formulate their SEO poisoning attacks.

Step 3: Use Google Hot Trends to search for popular terms
Hackers leverage the hottest search terms and then stuff their fake pages with additional relevant key phrases that track well with the most common way users phrase their searches.

Step 4: Crosslink with other SEO poisoned pages to boost page rankings
Hackers work on scale, with a web of hundreds of crosslink pages to ensure that their malicious sites make it to the top of the page rankings for any given search term.

Step 5: Cloak malicious content from spiders and security researchers
The reason SEO poisoning attacks have been difficult to stymie is because the hackers are shielding their attacks from search engine detection and security do-gooders. Poisoned pages serve up an alternative non-malicious page with relevant keywords and links to other poisoned pages when crawlers view a page and direct traffic to non-malicious content when it doesn't come from a search engine.

Step 6: Deliver payload
If traffic does come from a website, hackers will serve up the bad content. Right now, researchers report that the bulk of SEO poisoning attacks are used to send users to a fake AV scan page to convince them to install bogus AV 'scareware.'

SEO Poisoning By The Numbers
Symantec found that on average 115 of the 300 most popular search terms contained at least 10% malicious links.

SEO Poisoning By The Numbers
Users have a 1 in 3 chance of coming across a malicious link via searches, according to Symantec.

SEO Poisoning By The Numbers
Typically, 15 links out of the first 70 results were malicious for search terms that were found to be poisoned, according to Symantec researchers.

No comments: